Know how to share your intelligence with the Traffic Light Protocol

March 15, 2022 joerg Uncategorized 0

Know how to share your intelligence with the Traffic Light Protocol

Traffic Light

“Let’s talk about” is a series I have planned for a while, it will cover topics which are quite old but I find myself explaining them quite often….

The traffic light protocol was first developed by first.org, a security professional community in the area of incident response but actually mainly CERT related.

As you may could imagine, when CERT people come together they are keen on sharing knowledge and insights ond the latest and most urgent events they are facing with each other. But how do you end up not over sharing information, publicly exposing that your company is may or may not affected by a certain threat actor or vulnerability, how can you make sure that your effort of investigating a certain threat gets public knowledge and with this your advantage point vanishes.

Well, I could imagine that those thoughts have been fundamental to the birth of the TLP protocol.

Everybody in the security space should have an basic understanding of the TLP, knowing what green, amber and red mean. If you don’t, let me tell you

White (TLP:WHITE : R=255, G=255, B=255)

Well, white is not really a traffic light, but that is actually the point. Stuff which is TLP:white is sort of public domain, information shared under this tag can be used however you like. Go home and tell your grandmother about it if you like, or write a fancy blog post, no harm no foul.

Green (TLP:GREEN : R=51, G=255, B=0)

This already limits the sharing you are allowed to do. Being the lowest entry point to the protocol, information tagged as TLP:green should stay within the shared community and your broader organisation. Feel free to tell everyone in your company and partners. You could for example shout them out in the cantina of your company and no one will complain.

Amber (TLP:AMBER : R=255, G=192, B=0)

Well, staying with the examples, the cantina might not be the right place to disclose this one. “Organisation only” is the phrase you want to keep in mind. So tagged as TLP:amber should be limited to your team meetings, your SOC and board rooms.

Be careful if data tagged this way is to be enriched, many organisations could see the sharing of the indicator with a 3rd party vendor as breaking the code.

Red (TLP:RED : R=255, G=0, B=51)

You and you alone. Remember when your childhood friend took you away from the group and started with “please tell nobody” , that’s exactly TLP:red for you.

This is mostly the hardest TLP category you can find and it makes it really difficult to act upon, you could basically not even search it on the SIEM because it would show up in the history. So act with caution.

I hope this helped 🙂