The rapid changing of cyber threat landscape necessitated new mitigation measures. As the web started interconnecting people and organizations all over the world, the threat intelligence and information sharing field received an impetus to come up with new ways to handle emerging threats. It was in this light that Traffic Light Protocol (TLP) was created in the early 2000s by U.K’s National Infrastructure Security Coordination Centre (NISCC) to facilitate greater sharing of information. It was later adopted globally by many governments and security agencies including the US-CERT. TLP is nothing but a simplistic set of color coding schema used to ensure appropriate sharing of sensitive information; which in simple words can be put down as ‘Right person receiving the right information’.
It uses four different colors - Red, Amber, Green and White.
Red: TLP Red is used when information cannot be acted upon by any third party. It means that the information is highly classified and the recipients cannot share it with any parties outside of the specific exchange, meeting, or a group where information was disclosed. It must remain confined to the perimeter of its initial disclosure.
Amber: TLP Amber is used when information sensitivity needs to be balanced with certain action. In such cases, the information must be shared only on a need to know basis and only as widely as its necessary to act on it. It limits information sharing to the members of the organization and clients that require information to be known to prevent damage. .
Green: TLP Green signifies that information must not be publicly disclosed but needs to be disclosed with participating organizations, peers as well as other organizations in the same sector for the broader benefit of the entire community. Recipients can be share such information within organization, with third-party clients, peers and other organizations in the same sector but not via publicly accessible channels. In no case, the information should be made public.
White: TLP White is used when the public disclosure of information carries minimal risk. In such cases, the information can be publicly disclosed and recipients can share it with anyone subject to the copyright, intellectual property and other laws of the land.
TLP is distinct from the Chatham House Rules wherein you may disclose the information without revealing the source. Efficient utilization of TLP depends on understanding the sensitivity of the information and assigning the appropriate color code. Although, sometimes the most sensitive information may warrant Red color to be assigned but that would also limit proper research and action on it. So, in such conditions Amber may be the most appropriate and productive color to assign. However, there are few important dimensions you need to understand while using TLP. One must take into account that nowadays network operation centers are mostly outsourced and most of the data is stored on the clouds. In such cases before you share sensitive information with Red or Amber color schema, you must know ‘where, how and who’ of the recipient’s network management and also check if the data is getting routed through a cloud and if yes, then ask who owns the cloud? TLP is not a silver bullet but effective utilization of TLP can help create a kevlar shield of threat intelligence management and information sharing.