TLP update (2.0), going softer on AMBER and adding AMBER+STRICT
“Let’s talk about” is a series I have planned for a while, it will cover topics which are quite old but I find myself…cybernotdienst.de
This is an updated post for the initial release story about the TLP protocol, changes are mainly in the TLP:Amber+Strict area. Changes are highlighted in bold
The traffic light protocol was first developed by first.org, a security professional community in the area of incident response but actually mainly CERT related.
As you may imagine, when CERT people come together they are keen on sharing knowledge and insights as well as the latest and most urgent events they are facing with each other. But how do you end up not over sharing information, publicly exposing that your company is may or may not affected by a certain threat actor or vulnerability? How can you make sure that your effort of investigating a certain threat gets public knowledge? With this your advantage point vanishes.
Well, I could imagine that those thoughts have been fundamental to the birth of the TLP protocol.
Everybody in the security space should have a basic understanding of the TLP, knowing what green, amber and red mean. If you don’t, let me tell you.
White (TLP:WHITE : R=255, G=255, B=255)
Well, white is not really a traffic light, but that is actually the point. Stuff which is TLP:white is sort of public domain, information shared under this tag can be used however you like. Go home and tell your grandmother about it if you like, or write a fancy blog post. No harm, no foul.
Green (TLP:GREEN : R=51, G=255, B=0)
This already limits the sharing you are allowed to do. Being the lowest entry point to the protocol, information tagged as TLP:green should stay within the shared community and your broader organization. Feel free to tell everyone in your community (was: company and partners). You could for example shout them out in the cantina of your company and no one will complain.
Amber (TLP:AMBER : R=255, G=192, B=0)
Well, staying with the examples, the cantina might not be the right place to disclose this one, in the new version 2.0 of the TLP protocol this now even includes clients who need to know, so not limited to the “Organization only” which was the phrase you want to keep in mind. So tagged as TLP: amber should be limited to your team meetings, your SOC and board rooms and clients like in an MSSP scenario.
Be careful if data tagged this way is to be enriched, many organizations could see the sharing of the indicator with a 3rd party vendor as breaking the code.
Amber and Strict (TLP:AMBER+STRICT : R=255, G=192, B=0)
Amber+Strict is basically the old amber definition which still means “Organization only”, so make sure to give a suspicious look around the cantina and whisper it to your team members.
Red (TLP:RED : R=255, G=0, B=51)
You and you alone. Remember when your childhood friend took you away from the group and started with “please tell nobody” , that’s exactly TLP:red for you. Mainly meaning “ears and eyes” of the the participants only.
This is mostly the hardest TLP category you can find and it makes it really difficult to act upon, you could basically not even search it on the SIEM because it would show up in the history. So act with caution.
That’s it for today, please leave a 👏 and be excellent to each other.