SOCRadar® Cyber Intelligence Inc. | What You Need To Know About Traffic Light Protocol Usage in Threat Intelligence


Tem 13, 2020
5 Mins Read

What You Need To Know About Traffic Light Protocol Usage in Threat Intelligence

There are a few standards and formats for timely and more effective exchange of sensitive intelligence, and Traffic Light Protocol, better known as TLP, is one of them.

In other words, TLP is a comprehensive set of rules that makes sure ONLY a specific party receives threat intelligence. It defines with whom, how, when, and to what extent the intelligence will be shared. The “set of rules” consists of a four-color group. These colors imply with whom the intelligence will be shared.

The beginning

TLP was created by the UK Government’s National Infrastructure Security Coordination Center (NISCC) in the early 2000s. Its main purpose was to facilitate the sharing of information. Because of the ease of use, very shortly after it was created, this protocol was adopted by many other, public and private, security organizations including the US-CERT.

Why use TLP?

Sharing Threat Intelligence (TI) within the cybersecurity community is one of the key actions companies need to take in order to use their resources more strategically and have more automatedly responsive teams. Along with other advantages, shared TI helps organizations reduce the risk of any potential attack. Being timely is key to achieving this goal. Yet, sending sensitive information to the wrong audience makes timeliness ineffective. And TLP is all about preventing that.

The right information to the right receiver

TLP provides a simplistic and intuitive solution to securely exchange information with the right audience, may it be an individual, organization, or community. The flow of information goes like this:

  • The sender labels information with a color code (Red, Amber, Green, White), to assign importance to the message, and how it will be further disseminated 
  • The receiver must obtain explicit permission from the sender in case a wider audience needs to have access to that information – because the sender always has the last word

This means only the right person will receive the right information because the sender puts boundaries to dissemination. However, the senders need to ensure that the receiver understands TLP sharing rules, or else using it will be pointless.

Color codes and their meaning

TLP uses a four-colors code. With each of them being labeled to sharing intelligence, the sender assigns a grade of sensitivity. That helps the receiver understand the broadness of dissemination he can further proceed with.

It is the sender’s responsibility to ensure that the receiver understands the rules of the protocol and will not share the information outside the boundaries without the permission of the sender.

RED – No Disclosure at all

TLP: RED – this color code can be used by the sender when the information is restricted only to participants present at the meeting, a group, or a direct recipient of an SMS or email. So, the dissemination is usually done via a predefined list.

This information cannot be disseminated to third parties unless the sender permits it. However, the sender must label the information according to what they want the receiver to do with it – it is easy to label everything TLP: RED, just-in-case, but when you need the receiver to act upon that information, the RED label is useless.

AMBER – Limited disclosure

TLP: AMBER – this color code can be used by the sender when the information is restricted to participants of an organization, or members of a community. The sender needs to use this code when information requires action. However, it is still the sender’s right to specify a limitation to how wide the dissemination can go.

This information can also be shared with clients or suppliers of an organization, only and only if there is something they need to know in order to protect themselves or prevent further danger.

Examples of information that can be labeled TLP: AMBER may be vulnerabilities, system logs, DDoS information, Indicators of Compromise (IoC), security incident information, etc.

GREEN – Community-wide

TLP: GREEN – this color code can be used by the sender when the information is allowed to be shared with anyone in a particular community – with the only condition, that it won’t be released outside of the community – so, it cannot be published publicly on the Internet.

The receiver of the information may share it only with partner organizations within the community but needs to make sure it will not be publicly accessible. The goal of sharing this information is to let the entire community benefit from it – examples can be sharing malware analysis with a specific sector.

WHITE – Unlimited disclosure

TLP: WHITE – this color code can be used by the sender when the information is allowed to be distributed to the public without any restrictions. However, the laws of Copyright still need to be applied.

The sender must know that to label information WHITE, it needs to make sure its disclosure carries a minimal risk or no risk at all.