A word on FIRST
FIRST is the Forum of Incident Response and Security Teams. Since 1990, when FIRST was founded, its members have resolved an almost continuous stream of security-related attacks and incidents including handling thousands of security vulnerabilities affecting nearly all of the millions of computer systems and networks throughout the world connected by the ever growing Internet.
FIRST brings together a wide variety of security and incident response teams including especially product security teams from the government, commercial, and academic sectors.
TLP, what’s that ?
TLP, originally developed to encourage information sharing with and among public and private sector security professionals in the United Kingdom, has achieved widespread adoption around the globe.
TLP is regularly used by all types of CSIRTs, PSIRTs, operational trust communities, information sharing analysis organizations, government agencies, and private researchers.
Due to its massive global adoption, TLP has achieved “de facto” international standard status. The FIRST community, in consultation with other security information sharing communities, established a Standards SIG for TLP to ensure that interpretations are consistent and that TLP is leveraged appropriately and with clear expectations by all.
The FIRST TLP SIG governs the definition of TLP for the benefit of the worldwide security incident response community and its partners. The TLP SIG members standardize, translate and, as necessary, evolve the TLP in an independent, fair and transparent fashion.
The initial version of the standard, TLP version 1.0, has been authoritative from 2017.
Starting from August 2022, FIRST SIG, introduced TLP version 2.0, which will replace TLP v1.0 by the end of this year.
TLP is a protocol that leverages a very specific use of colours labelling to tell the disclosure rights for specific communications or documents. All the details on using the protocol for your own communications is described in the FIRST documentation on the standard: https://www.first.org/tlp/.
Version 2.0 brings two major changes:
- TLP:CLEAR replaces TLP:WHITE.
- The new TLP:AMBER+STRICT supplements TLP:AMBER, designating that the information may be shared with the recipient’s organization only
- Note that TLP:AMBER is still existing as it was before, TLP:AMBER+STRICT only adds the precision on the organization limitation.
So, starting from August 2022, TLP colours will be as follow, according to the description of the standard:
- TLP:RED= For the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.
- TLP:AMBER= Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT.
- TLP:GREEN= Limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defence community.
- TLP:CLEAR= Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
CERT-XLM uses TLP
CERT-XLM, as any CSIRT members of FIRST makes use of the protocol on every document its produces.
Monthly newsletters and the so-called “white notifications” and “amber notifications” are no exceptions. Customers that receive the monthly newsletter and the security alerts sent through EYENOTIFY, by CERT-XLM are already used to it.
By the end of the year 2022, CERT-XLM started adopting and use TLP v2.0.
Monthly newsletters and Amber notifications will keep the same tagging with TLP:AMBER, while TLP:WHITE will become TLP:CLEAR notifications.