How to use the traffic light protocol – TLP

What is TLP?

The TLP or Traffic Light Protocol is a set of designations designed to help sharing of sensitive information. It has been widely adopted in the CSIRT and security community.

The originator of the information labels the information with one of four colours. These colours indicate what further dissemination, if any, can be undertaken by the recipient. Note that the colours only mark the level of dissemination, not the sensitivity level (although they often align).

Why would you use TLP?

The TLP protocol allows you to share sensitive information and keep control over the distribution of the information.

Usage

Although fairly simple in usage, some visual clarification on how to use the traffic light protocol – TLP doesn’t hurt.

Strong limited, only your peers
My information should remain restricted to the people with whom I share the information directly (only people present in a meeting, participating in a conversation, …).
I use TLP:Red when additional parties outside the direct recipient list can not act on the information.
When recipients do no honor the TLP it would impact my privacy, reputation and have an impact on the operations of my environment.
Limited, only people that act on the information
The recipients can share the information with members of their organization who need to know.
I can amend the TLP:Amber by specifying how relaxed or strong “organization” should be interpreted (department, branch organization, full organization).
I use TLP:Amber when I want people to effectively act upon receiving the information.
When recipients do no honor the TLP it carries some risks for my privacy, reputation or operations.
Relaxed, known by the inner-circle
The recipients can share the information in their sector or organization but it can not be put on a website (or any publicly accessible resource whatsover.
I use TLP:Green when the information is useful for all organizations and their peers in the community.
Open, known by everyone
Everyone can receive my information as long as copyright is included.
I use TLP:White when there’s no foreseeable risk of misuse.

Best practices for sharing IOCs

Use

Ideally if you want to share IOCs where you want people to act on you use TLP:Amber.

TLP:Red or TLP:Amber

Although it might seem tempting to use TLP:Red for something sensitive it can prevent your recipients for doing proper research or alerting in their environment. With TLP:Red you prevent your recipients to inject this information in their team (for all not present during the disclosure) for further analysis. You can use TLP:Red to give a heads-up on a threat but further investigation (and feedback) will be rather limited.

Using TLP:Amber with a constituent restriction (for example ‘only share this with your CSIRT team’) is often far more productive.

You should also take into account when using TLP:Red or TLP:Amber that a lot of network operation centers or abuse-desks have been outsourced. Before sharing an IOC (with Amber) you should ask your recipient who manages their network or sensors.

Be warned that configuring an alert on an appliance could potentially also break TLP:Red. Some appliances share their configuration or ruleset in the cloud (or with the vendor). Before implementing an alert based on TLP:Red information you should check what data gets “phoned-home” by your appliance.

For example if there’s an IP that is been used for an espionage threat you could share the full details of the espionage with your peers under TLP:Red and then share the IP with a more generic description via TLP:Amber.

  • Espionage details : share with TLP:Red with your direct peer.
  • Espionage IP : share with TLP:Amber to request alerting and escalation via the CSIRT.

Don’t get trapped by confusing sensitivity with restriction. If you want information to get acted on sharing it with a restrictive TLP code will limit the usefulness of your information.

TLP:Amber with restriction

The TLP:Amber code is the TLP that is most often used. By defintion it involves sharing information with members of their own organization who need to know, and only as widely as necessary to act on that information.

If you do not define what you understand under organization then it’s up to the recipient to define this. Their definition of ‘organization’ can be different to your understanding of ‘organization’. Ask your recipient to verify with you what’s meant with organization if they have any doubts. As such, try to be as specific as possible when using TLP:Amber.

In practice most CSIRTs will use TLP:Amber with a definition of organization. Most CSIRTs will use “your own CSIRT” as defining the sharing organization but they can also be more relax and use “your NOC”.

As a rule of thumb, if you use TLP:Amber, describe what you mean with “your organization”.

  • Mail Subject: “TLP:Amber New threat on XXX”
  • Mail Body: “TLP:Amber : Organization : is your CSIRT”

Chatham House Rule

The TLP code can also be extended with the Chatham House Rule. Basically this means that anyone who receives the information is free to use it but the receiver is not allowed to provide any attribution.

  • Mail Body: “TLP:Amber TLP:EX:CHR

E-mail

If you send an e-mail where you want to label the information with a TLP code you ideally start the subject with the TLP code. This way your recipient immediately knows how to classify the information.

  • Mail Subject: “TLP:Amber New threat on XXX”

Consequently, almost by definition, sharing information via TLP:Red or TLP:Amber requires you to use encryption (for example GPG) with your peers.

Resources

The TLP protocol is described in detail on the website of US-CERT and CIRCL.

One thought on “How to use the traffic light protocol – TLP

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.