In the Intelligence Cycle, the Dissemination phase is critical. However, not all intelligence is meant for public consumption. Sharing a sensitive report about a nation-state actor on a public blog could compromise an active investigation or burn a source.
The Traffic Light Protocol (TLP) provides a simple, color-coded scheme to indicate how far information can be shared. It is the global standard for CTI sharing.
The TLP 2.0 Levels
1. TLP:RED (For Your Eyes Only)
- Restriction: Not for disclosure, restricted to participants only.
- Use Case: A specific meeting about an active insider threat investigation or a sensitive unpatched vulnerability.
- Share with: No one outside the specific exchange.
2. TLP:AMBER (Limited Disclosure)
- Restriction: Limited disclosure, restricted to participants’ organizations.
- Use Case: Details about a new ransomware strain affecting your sector that you want to warn peers about without going public.
- Share with: Members of your own organization who need to know to protect the network.
3. TLP:AMBER+STRICT (New in 2.0)
- Restriction: Restricted to the organization only.
- Note: Unlike standard Amber, this cannot be shared with external contractors or MSPs (Managed Service Providers).
4. TLP:GREEN (Community Wide)
- Restriction: Limited disclosure, restricted to the community.
- Use Case: Indicators of Compromise (IOCs) that are useful for all banks in a financial sharing group (ISAC).
- Share with: Partner organizations and peers, but not publicly on the internet.
5. TLP:CLEAR (Public)
- Restriction: Subject to standard copyright rules, but otherwise unrestricted.
- Use Case: A whitepaper on MITRE ATT&CK trends or a blog post about historical malware.
Pro Tip: Always label the header and footer of your documents with the TLP color. If you receive intelligence without a tag, treat it as TLP:RED until confirmed otherwise.