What is Traffic Light Protocol? Here’s how it supports CISOs in sharing threat data

Traffic Light Protocol (TLP) was created to facilitate greater sharing of potentially sensitive threat information within an organization or business and to enable more effective collaboration among security defenders, system administrators, security managers, and researchers.

TLP grew out of efforts by various public-sector security incident response teams of various nations that began sharing security alerts. The protocol was developed so that recipients of threat data could assess its sensitivity and determine how to share it with others, without giving any aid to the bad actors, revealing personal data, or running afoul of data privacy regulations.

The protocols define a series of color-coded classifications (that is where the traffic light concept comes in), with each color representing how the data can be shared. Red means stop, and nothing but stop; amber means stop unless doing so would itself be dangerous; and green means that you’re allowed to share the data, assuming it’s safe to do so. Version 2.0 improves on the original protocols by further clarifying sharing restrictions, and the US Cybersecurity and Infrastructure Security Agency (CISA) has published this TLP 2.0 guide.

Safely sharing threat data

Sharing threat data is a delicate dance. If you discover a threat, you want to be careful what you share about it. For example, the European cyber agency ENISA says “A presentation in a meeting of representatives of CSIRTs [computer security incident response teams] could be TLP:RED for most of them, except for the one team present who is able to act on the information, for whom TLP: AMBER would be more suitable.” In the past, this dance has usually involved distinguishing among full, responsible, or limited disclosure of vulnerabilities. But TLP shows that a more nuanced approach is more effective.

The schema embodied in the TLP was inspired by the various classified document markings such as secret, top secret, and so forth. However, TLP and “top secret” classifications aren’t related. TLP shouldn’t be used on classified documents, and some countries automatically make certain kinds of data — such as threats to critical infrastructure — classified by default, meaning their distribution is carefully controlled.

A brief history of Traffic Light Protocol (TLP)

Over the years, the US has developed a series of information sharing and analysis centers (ISAC) — known as information exchanges in the UK — that have been established for various vertical industries, such as ISACs for election security, utility security, automotive security, and so forth. The protocols became part of the Forum of Incident Response and Security Teams (FIRST), which formally published TLP v1.0 in August 2016 and issued a revised TLP v2.0 in August 2022 that was extensively discussed at a conference in Dublin. Since then, various products have come out that support the updated protocols. There are over 50 members of the special interest group from all over the world that contribute to TLP efforts.

Part of the motivation behind the update is to make the standards more precise and therefore more useful to various security players. “We are increasingly spreading more confidential and sensitive information inside our community, inside companies, inside business sectors, inside countries, and worldwide,” said FIRST TLP-SIG co-chair Don Stikvoort during the Dublin conference. “We need systems that are easy to use, simple to understand, and straightforward enough that translation does not impact the meaning to ensure that we share sensitive information with the appropriate audience. The updated and modernized TLP version 2.0 does just that.”

Significant updates in TLP 2.0

The most significant changes to TLP 2.0 are as follows:

• Sharpened the language used in the standards to make it easier for non-native English speakers as well as provide more accurate translations in other languages. The protocols have been published so far in Dutch, Portuguese, French, Japanese, and Norwegian. “We wanted to keep it as straight and simple as possible to enhance understanding,” Stikvoort says. Part of this effort was to establish consistency among terms used in the standards documents.
• Added a colors table to include RGB, CMYK, and hexadecimal color codes to be used in various documents.
• The TLP:WHITE designation has become TLP:CLEAR, as part of a global effort to move away from coded racist language.
• Added the TLP:AMBER+Strict label to highlight information that is restricted to the recipient’s organization only. This is a very useful designation and shows how TLP can be effective given the exposure that many companies have seen with their software supply chains (think SolarWinds or VMware’s ESXi vulnerabilities for example).

Why the TLP update?

One of the things described at the Dublin conference is how data is shared amongst service providers, such as ISPs or telecom vendors, depending on the different colored designations and how they change as the data is shared among different parties. Also, how the threat designation would change as the data gets shared from one place to another, depending on its sensitivity. “The originator or sender of a document is responsible for the level of the designation,” Stikvoort says. “Be very clear about how you communicate things, especially if you are forwarding something.”

Another of the TLP principals is Thomas Millar, a staffer at CISA. He tells CSO that the revised protocols have had an unexpected, positive side effect. “We have brought much more attention to TLP from potential adopters that were not already using TLP or using it in a very limited fashion. There are new communities showing interest that were not part of the conversation before, and that’s a great thing.”

TLP is just one of a series of efforts to share security threat information, both among humans and to structure the metadata around the threats that can be more readily consumed by various automated operations and tools. The goal is to create connections among researchers and defenders, understand how malware works, and assign indicators of compromise as well to help intrusion detection systems find these threats, share their malware data, and neutralize them.

This can be seen in the MITRE’s effort to classify threats through its ATT&CK framework and a recent effort to create a similar framework for supply chain threats specifically, as well as two standards that are used in various commercial products such as STIX and TAXII which are part of an open source project called Malware Information Sharing Project (MISP) that grew out of efforts at NATO.

MISP can automatically synchronize a threat event with actions to take. It uses the STIX protocol to structure the data on each event. Several vendors have connectors that enable their threat feed data to be shared in the MISP framework, including Symantec’s DeepSight Intelligence, Kaspersky threat feeds, Cyware CTIX, and McAfee’s Active Response. MISP integrations with open-source and commercial threat intelligence platforms include the ThreatQuotient Platform and EclecticIQ Platform. These commercial platforms take MISP a step further and can visualize the threat using the STIX and ATT&CK data, create automated actionable tasks to manage and eliminate the threat, and other post-attack mitigations.

Where should IT managers get started with TLP?

If you haven’t yet codified any of your threat data, now is the time to study STIX and TAXII and understand how they are used and how they can help with classifying these threats.

Then take a look at MISP and the CISA program to help with the real-time exchange of machine-readable threat information called the Automated Indicator Sharing capability. It is a free service and contains data about attempted malware incursions and ways to respond to and defend against these threats. This latter effort uses both TLP and STIX protocols, but it will not support TLP v2.0 until March 2023. The link above will take you to where you can sign up for the program. FIRST has put together a handy quick reference guide that shows the different classification colors and how they are best used.

Next, realize that TLP is not about products, but a way of life. Examine how you share threat data across your organization, including how to communicate to suppliers and partners and across your software supply chain.

“If you look at systems as being composed of people, process, and technology, TLP is 99% people and process,” Millar tells CSO. “If technology supports TLP too, that’s great, but it’s supposed to be part of a process, practiced by people.

“TLP is all about how you organize and share this threat information with others. TLP should be used by any security organization that wants to share something sensitive to another organization. It doesn’t have to be inside of an ISAC context or with a particular technology. I’ve talked to organizations who use TLP for physical security information as well. It’s simple, practical, and helps us all share with confidence.”