The Traffic Light Protocol (TLP) can play a major role in your XSOAR instance. As you may have seen already, every Threat Intelligence Feed you can add will come with this option to be set.
See MISP in the example above. What does the TLP actually indicate? Well, let me explain.
The traffic light protocol was first developed by first.org , a security professional community in the area of incident response but actually mainly CERT related.
As you may imagine, when CERT people come together they are keen on sharing knowledge and insights as well as the latest and most urgent events they are facing with each other. But how do you end up not over sharing information while publicly exposing that your company may or may not be affected by a certain threat actor or vulnerability? How can you make sure that your effort of investigating a certain threat gets public knowledge? With this, your advantage point vanishes.
One could imagine that those thoughts have been fundamental to the birth of the TLP protocol.
Everybody in the security space should have a basic understanding of the TLP, knowing what green, amber and red mean. Let’s explore further.
White (TLP:WHITE : R=255, G=255, B=255)
White is not really a traffic light, but that is actually the point. Indicators which are TLP:white are sort of public domain in that information shared under this tag can be used however you like. Go home and tell your grandmother about it if you like, or write a fancy blog post. No harm, no foul.
Green (TLP:GREEN : R=51, G=255, B=0)
This already limits the sharing you are allowed to do. Being the lowest entry point to the protocol, information tagged as TLP:green should stay within the shared community and your broader organization. Feel free to tell everyone in your community ( was: company and partners ). You could, for example, shout them out in the cantina of your company and no one will complain.
Amber (TLP:AMBER : R=255, G=192, B=0)
Staying with the examples, the cantina might not be the right place to disclose this one. The new version 2.0 of the TLP protocol includes clients who need to know, so not limited to the “Organization only” which was the phrase you want to keep in mind. TLP: amber tags should be limited to your team meetings, your SOC and board rooms and clients like in an MSSP scenario.
Be careful if data tagged this way is to be enriched. Many organizations could see indicator sharing with a 3rd party vendor as breaking the code.
Amber and Strict (TLP:AMBER+STRICT : R=255, G=192, B=0)
Amber+Strict is basically the old amber definition which still means “Organization only”, so make sure to give a suspicious look around the cantina and whisper it to your team members.
Red (TLP:RED : R=255, G=0, B=51)
You and you alone. Remember when your childhood friend took you away from the group and started with “please don’t tell anyone”, that’s exactly TLP:red for you. Mainly meaning “ears and eyes” of the participants only.
This is the strictest TLP category you can find and it makes it really difficult to act upon, you could not search it on the SIEM because it would show up in the history. So act with caution.
That’s it for today, please leave a 👏 and be excellent to each other.
... View more