TLP 2.0 is here, (Thu, Aug 4th)

This post was originally published on this site

Earlier this week, the global Forum of Incident Response and Security Teams – or FIRST, as it is commonly known – published a new version of its Traffic Light Protocol standard[1]. The Traffic Light Protocol (TLP) is commonly used in the incident response community, as well as in the wider security space, to quickly and in a standardized way indicate any limitations on further sharing of any transferred information.

Since different organizations and security teams around the world use differing (and not necessarily compatible) standards for information classification, it can be difficult to quickly share any sensitive information with anyone outside the organization without also appending the entire information classification standards of the source organization that specifies how/whether the recipient may use and further share the information. This is where the TLP comes in and why it is quite valuable, since it provides everyone with a common, easy to understand and easy to use information classification scheme. One only has to indicate (in an e-mail subject, on a first slide of a presentation or document, in spoken exchange, …) that the information that is about to be shared has specific TLP label, and the recipient should be able to immediately understand how they may use it and with whom (if anyone) they may share it.

The new version of the standard brings several important changes, the most visible one having to do with the classification labels. In its previous iteration[2], the TLP consisted of the following four labels that governed how the transferred information may be shared:

  • TLP: WHITE – Disclosure of information is not limited
  • TLP: GREEN – Limited disclosure, recipients can spread information within their community
  • TLP: AMBER – Limited disclosure of information, restricted to participants’ organizations only
  • TLP: RED – Not for disclosure, information restricted to exchange participants only

In the 2.0 version of the standard, TLP: WHITE has been renamed TLP: CLEAR and a new TLP: AMBER+STRICT label was added. Some changes have also been made to the definitions and the overall language as well as to some other minor areas, which should help minimize any uncertainty in the meaning of different labels.

You may find the entire standard on the FIRST website, but in general, the new classification basically gives the following meaning to each of the labels.

If you use TLP in your daily activities, it would be advisable to start using its new iteration as soon as possible, since the 2.0 version of the standard is now considered authoritative.

[1] https://www.first.org/tlp/
[2] https://www.first.org/tlp/v1/

———–
Jan Kopriva
@jk0pr
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.