Considerations on the Traffic Light Protocol

Published under Glossary

Introduction

The Traffic Light Protocol (TLP) is a means for someone sharing information to inform their audience about any limitations in further spreading this information. It is used in almost all CSIRT communities and some Information Analysis and Sharing Centres (ISACs). The TLP can be used in all forms of communication, whether written or oral.

This Glossary Entry presents the TLP and its possible variants, and proposes some considerations on its use and its limitations.

The Traffic Light Protocol (TLP)

The TLP is in principle easy to use: the sharer of information tags the information with a colour. Tagging information consists simply of adding “TLP:COLOUR” on a document or part of it. The meaning of the colour indicates the possibilities for further spreading of the information. Over the years, different wordings of the TLP have surfaced, but the CSIRT community recently made an effort to clarify the TLP.

COLOUR

MEANING

EXAMPLE

RED

Not for disclosure, restricted to participants only.

Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

Information shared with people in a meeting; direct email.

AMBER

Limited disclosure, restricted to participants’ organizations.

Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

Sharing of Indicators of Compromise (IoCs) to an organisation’s CSIRT. These could be forwarded to the SOC for further action.

GREEN

Limited disclosure, restricted to the community.

Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

Sharing of a malware analysis with a specific industry sector.

WHITE

Disclosure is not limited.

Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

Public security advisory.

Considerations

The TLP is not a silver bullet

Since the TLP’s use is ubiquitous in certain communities, it would be easy to think that it is the ultimate solution for sharing information. It is not. The TLP’s use of four categories is simple, if not simplistic. There will always be cases where it is not suited to the situation at hand. For example, a presentation in a meeting of representatives of CSIRTs could be TLP:RED for most of them, except for the one team present who is able to act on the information, for whom TLP:AMBER would be more suitable. It is possible to build more complicated examples ad libitum, where the only way out is old-fashioned, extensive, distribution lists.

This does not mean that the TLP is useless. On the contrary, its simplicity and universality make it ideal for many real-life situations. It is just not a silver bullet.

Variations of TLP across communities

Communities have important characteristics that make the TLP more useful: they have a common purpose, and a common understanding of specific terms. This allows them to use the TLP in a more natural way, without the need for extensive documentation. It also allows them to tweak the TLP for their purpose.

This can however also lead to confusion when an individual or group belongs to several communities, each with slightly different variants of the TLP meanings. Context is then key to interpreting the TLP tag. We thus encourage communities not to make extensive changes from the canon definition presented in Section 2 above.

Relation to legal classification schemes

TLP users need to be aware that it has no legal value, and is not mentioned in any legislation regarding data sharing and classification.

Most countries, as well as the European Union and NATO, have ways to tag information as classified. These tags are commonly Confidential, Secret, and Top Secret. It can be tempting to try to apply these tags and the TLP tags together, or to attempt to map one on the other: after all, classified information cannot be transferred, unless the recipient has the appropriate clearance and the need-to-know. This cannot be more false. The TLP and (inter)national classification schemes have nothing to do with each other. Their simultaneous use will lead to confusion, and potentially to sharing that would be considered a crime.

Legislation trumps TLP tags. Some countries make certain kind of information classified by default. For example, information on vulnerabilities in critical infrastructure is automatically considered Confidential in some countries. Sharing this information, even under TLP:RED will constitute a breach of the law in these jurisdictions.

The TLP must thus not be applied on documents that are already classified.

Using the TLP

While there are plenty of online documents describing the TLP, few actually try to explain its use beyond simple examples. There are more detailed examples on the use of the TLP for sharing Indicator of Compromises (IOCs). This section attempts to go beyond examples, and gives general advice on using the TLP.

As information receiver

Receiving information with a TLP tag other than TLP:WHITE is a privilege. It means that the information owners trust the recipient to respect their wishes. The recipients must thus do everything in their power to be worthy of that trust.

Of course, there are cases where the tag applied by the sharer may seem too restrictive, and further sharing to select individuals or groups may actually be beneficial. In this case, the only right course of action is to get in touch with the sharer, and discuss about it. This actually acknowledges that the TLP is not a silver bullet, as explained above. In all cases, the sharer will have the last word, and the receiver is bound to respect it.

As information sharer

Information owners must have the control over how their data is shared. Sharing sensitive information, like for example about a security breach, is a gamble. On the one hand, the community might learn from the sharer’s mistake or even help the sharer limit the extent of the breach. On the other hand, there is the risk that the information spreads further than intended and damages the sharer or their organisation. The TLP helps sharing by giving some measure of control to the information sharer.

Sharers must not succumb to the power that this control gives them. It is easy to tag everything as TLP:RED and be done with it. It is also useless, as it will make most receivers unable to act on the information they get. Moreover, over-tagging will quickly be detrimental to the sharer’s reputation and the trust they get from the community.

Sharers must tag information according to what they want the receivers to do with it. If the goal is only to inform about very sensitive information, like “there will be a merger between two companies”, then TLP:RED is certainly appropriate. However, if they want the receivers to act on the information, and for example help the sharer from recovering from a security incident, then anything above TLP:AMBER will be detrimental.

Sharers must also pay attention to the availability of the information. There is no point in tagging TLP:AMBER on information that is otherwise already available on the internet.

As community

Communities may want to use the TLP, and it is legitimate that they also tweak it to better suit their needs. The operative word here is “tweak”. Extensive changes will confuse users, and will make the TLP lose its purpose. Communities must thus be very careful with any changes to the meaning of the tags, and explain these carefully. Given the recent changes brought by the CSIRT community, such tweaks should be even less necessary now.

Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies