![]() ![]() We thus encourage communities not to make extensive changes from the canon definition presented in Section 2 above. Context is then key to interpreting the TLP tag. This can however also lead to confusion when an individual or group belongs to several communities, each with slightly different variants of the TLP meanings. It also allows them to tweak the TLP for their purpose. This allows them to use the TLP in a more natural way, without the need for extensive documentation. Variations of TLP across communitiesĬommunities have important characteristics that make the TLP more useful: they have a common purpose, and a common understanding of specific terms. On the contrary, its simplicity and universality make it ideal for many real-life situations. This does not mean that the TLP is useless. It is possible to build more complicated examples ad libitum, where the only way out is old-fashioned, extensive, distribution lists. For example, a presentation in a meeting of representatives of CSIRTs could be TLP:RED for most of them, except for the one team present who is able to act on the information, for whom TLP:AMBER would be more suitable. There will always be cases where it is not suited to the situation at hand. The TLP’s use of four categories is simple, if not simplistic. Since the TLP’s use is ubiquitous in certain communities, it would be easy to think that it is the ultimate solution for sharing information. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.Ĭonsiderations The TLP is not a silver bullet Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. ![]() Sharing of a malware analysis with a specific industry sector. TLP:GREEN information may not be released outside of the community. Information in this category can be circulated widely within a particular community. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Limited disclosure, restricted to the community. ![]() These could be forwarded to the SOC for further action. Sharing of Indicators of Compromise (IoCs) to an organisation’s CSIRT. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Limited disclosure, restricted to participants’ organizations. ![]() Information shared with people in a meeting direct email. In most circumstances, TLP:RED should be exchanged verbally or in person. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Not for disclosure, restricted to participants only. Over the years, different wordings of the TLP have surfaced, but the CSIRT community recently made an effort to clarify the TLP. The meaning of the colour indicates the possibilities for further spreading of the information. Tagging information consists simply of adding “TLP:COLOUR” on a document or part of it. The TLP is in principle easy to use: the sharer of information tags the information with a colour. This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations. The TLP can be used in all forms of communication, whether written or oral. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |