Guide to Traffic Light Protocol (TLP)

Key Points:

• TLP is a Sharing Protocol.
• Companies that do not share threat information are at a disadvantage.
• Overclassification stifles sharing -Strive to share with the least restriction for the broadest sharing potential.
• The information source determines the classification.
• Use more restrictive tags when the information contains sensitive information that may put the organization at risk if shared publicly.

Introduction

Sharing communities like MM-ISAC share information and intelligence using the Traffic Light Protocol (TLP). Official information on what it is and how and when to use it can be found here: https://www.first.org/tlp/

MM-ISAC was formed by a few mining companies in 2017 after a series of cyber attacks on several mining companies carried out by the same threat actor. The ISAC was formed when the CISOs and Security Directors got together and decided that companies not sharing this information are at a disadvantage to the threat actors. Threat actors are innovating by leveraging new technologies and collaborating by sharing information on tactics and techniques. Simply put, as defenders, we must do a better job of sharing information and collaborating in this environment and landscape.

What is TLP?

Traffic Light Protocol is a sharing protocol with an emphasis on sharing. Its purpose is to enable the broadest sharing of information possible. So that we can collaborate and cooperate more effectively on the defense side, the classification levels determine how and with whom you may share this information.

Overview of TLP Classification Restrictions

TLP: CLEAR

Who to Share With:

• No Restrictions- Share with anyone and everyone.

How to share:

TLP: CLEAR may be published and shared anywhere:

• Public websites.
• Social media.
• Include in public articles and blogs.

TLP: GREEN

Who to share with:

• Restricted to “Community.” If the community is not defined, assume the Cybersecurity and Defence Community.

How to share:

Share via Non-Public Online channels.

• Share via Threat Intelligence Platform (TIP).
• Private channels (Teams, Slack, Signal).
• Email.

TLP: AMBER

Who to share with:

Share with those who need to know.

• Organizations
• Clients of the Organization (such as customers or ISAC members)

How to Share:

Share via Non-Public Online channels with controlled Access.

• Share via Threat Intelligence Platform (TIP).
• Private channels with controlled access.
• Email.

TLP: AMBER+STRICT

Who to share with:

Limits Sharing to the Recipient Organization Only.

How to Share:

Share via Non-Public online channels with controlled access.

• Share via Threat Intelligence Platform (TIP).
• Private channels with controlled access.
• Email.

TLP: RED

Who to share with:

Only for the Intended Recipient. Do not share further.

How to Share:

Typically shared via secured out-of-band channels.

Why We Share Intelligence

Intelligence is about making better choices in how we defend ourselves. It’s so we know what may be coming. Threat actors typically recycle tactics that work well for them; knowing this information can help us better prepare our defences and update our responses accordingly.

Classifying Intelligence with the fewest possible restrictions is crucial so it can be shared as widely as possible.

• To facilitate collaboration.
• Build a bigger picture.
• Have the most complete and accurate representation (Fusion of Horizons).

Risks of Overclassifying Intelligence

Many CTI professionals come from intelligence and government backgrounds where security classifications are imposed to keep and maintain secrecy; thus, many overclassify by default. TLP has a different objective: to enable sharing. In information sharing, the risk is overclassification rather than under-classification.

Overclassifying limits and restricts how and with whom information may be shared. This overclassification will stifle sharing and collaboration. Want a whole industry of defenders working on the same problem or picture? We cannot do that if we continue to overclassify what we share.

How to Determine TLP Classification

The first step in determining TLP classification is to consider the source. Is this information from online or open sources, clients, peers, public or private organizations?

TLP classification should be directly aligned with the sensitivity of the information being shared. Remember, TLP is a sharing protocol that aims to disseminate information as widely and openly as possible. If the intelligence's source is open source, such as information published online in a news article, the classification is always CLEAR. It does not matter which platform you may have retrieved it from; the source of the intelligence determines the classification.

If intelligence comes from a member or client, that client determines the level of sharing with which they feel comfortable.

There may be good reasons to place restrictions on the share, such as:

• Information still needs to be investigated or validated.
• Identifying information hasn’t been sanitized.
• To protect the entity the information may be about.

Minimize Risk When Sharing Potentially Sensitive Information

One strategy to increase the potential for sharing is to share anonymously, omitting sensitive and identifying information.  For example, focus the share on the attacker’s information, such as:

• IP addresses of the attacker infrastructures.
• Hash values of files during the attack operation.
• Tactics used during the incident

Inappropriate use of TLP (As seen by CTI and TIP Vendors)

A particularly infuriating example of overclassifying that I see regularly from CTI and TIP vendors is overclassifying open-source intelligence.  I see vendors using TLP: AMBER+Strict on open-source Intelligence scraped from public news articles to make information appear more sensitive or valuable, or worse, the AI that scraped the data and generated the report is "proprietary." The best advice for vendors who want to market their platforms or products in this space is to demonstrate that they understand the proper usage of TLP.

Guidance for vendors:

• If the original source of the information is scraped from public news sites, the tag is easy: TLP: Clear. The sharing of information will harm no clients.
• If there is an additional analysis that you wish not to be published online, but the information contained is not sensitive. TLP: Green is appropriate.
• If the information may contain information that might put an organization at risk, do NOT share. Obviously, do not drop into an unsecured signal channel. Vendors should not share anything above TLP: GREEN with non-customers and non-clients unless they have a very good reason (such as need to know) and permission from the original source.
• If your company is regularly sharing TLP: AMBER+Strict with people who are not customers or clients, there is a good chance you are overclassifying the information. - Re-evaluate the sensitivity of information and reclassify as CLEAR or GREEN.

Conclusion

The purpose of the Traffic Light Protocol is to enable us, as a cybersecurity community, to better share intelligence and facilitate collaboration. It is essential to maintain the confidentiality of information to protect the individuals and organizations that share it. It is also vital not to overclassify intelligence so that we are not at a disadvantage when defending against cyber threats.