Incident Exchange — Beyond the Traffic Light Protocol

The Traffic Light Protocol (TLP) was developed as a means to facilitate information sharing by using a standardized information classification scheme. By assigning a TLP classification to a report the originator signals how widely information can be disseminated beyond the immediate recipient. TLP has four levels:

• TLP RED: information can not be shared with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed.
• TLP AMBER: information can be shared with members of their own organization who need to know, and only as widely as necessary to act on that information.
• TLP GREEN: information that can be shared with peers and partner organizations within their sector or community, but not via publicly accessible channels.
• TLP WHITE: Unlimited distribution. Information may be distributed without restriction, subject to copyright controls.

Theoretically, the protocol provides several benefits. It provides a simple and intuitive schema for when and how cybersecurity information can be shared. It removes ambiguity about whom the information can be shared with, and inherently promotes the practice of sharing.

As the name indicates TLP is a protocol, and it only works when everyone understands the protocol and agrees to honor it. Self-regulation and enforcement of agreed upon rules are necessary for TLP to provide the benefits it was designed for. But there isn’t any easy way to implement automated mechanisms to enforce TLP. Any detection of a TLP violation will always be reactive. This has three implications:

1. the originator has less assurance that a more highly classified TLP report has not been shared with others;

2. more highly classified TLP (RED or AMBER) reports which have correlations among them will not easily be discerned, and;

3. reporting will not include additional context about a campaign or threat actor than can be drawn from other TLP levels (GREEN and WHITE) to inform a much broader understanding of a problem.

This is why TruSTAR designed Enclaves. As background, TruSTAR allows organizations to exchange incident reports and automatically correlates them based on indicators of compromise (IoC’s) and other external and open source intelligence. This data is immediately rendered visually for customers so they can easily see correlated reports and associated indicators of compromise. Associated IoC’s and campaign data can be exported from the reports and ingested by a company’s SIEM or AV system. Enclaves provides the ability to create a group of members, where the membership is determined by mutual trust, just as TLP establishes trust levels. The combination of TLP and Enclaves provides an easy way to implement automated sharing policy enforcement. Similar to TLP, a customer cannot share a report outside of the Enclave, unless it is the originator. But Enclaves go a step beyond in ensuring Enclave “members” are made aware of relevant reporting that has been more widely shared among customers.

For example, TruSTAR customers have established their own Enclaves for their own data. This data is considered TLP “RED.” However, such customers can still see associated data more widely shared in the community which allows them to ascertain quickly whether a given problem is more pervasive than originally thought. In this instance, the customer can elect to share the report more widely to gain additional context.

This same concept is easily applied to groups of companies that wish to work together but still want access to other relevant data.

For example, customer A forms an Enclave and asks companies B and C to join. They share TLP “RED” data between them and see relevant correlations among their reporting immediately. Companies A, B and C also see other relevant reporting correlated from the rest of the community. IoC’s are shown that allow company A to decide to share their report more widely in order to expedite investigation and remediation.

The TLP system has been in existence since ISAC’s were created in the late 90's. However, as our information sharing requirements evolve we need the ability to enforce strict control of originator’s data without restricting our ability to understand how a particular incident report or set of incident reports — read campaign — fits into a wider context that potentially extends across a previously unknown set of companies. We now can.

Reach out to TruSTAR today to learn more about how Enclaves can augment your existing TLP sharing.