• 4 hours
  • Easy

Free online content available in this course.

course.header.alt.is_certifying

Got it!

Last updated on 7/2/24

Comply With Protocols for Using and Disseminating Information

Understand the Role of Protocols

Complying with protocols for using and disseminating information is essential in cybersecurity to ensure data confidentiality, integrity, and availability.

Tagging or marking conventions play a key role in managing cybersecurity information, especially for:

  • standardizing the use and sharing of information: This makes it easier to understand and use information consistently within an organization, helping to determine who can access what information and how they should handle it.

  • promoting alignment of information handling practices: By defining common conventions, you can ensure that your organization manages information in an efficient and compliant way.

  • strengthening trust between different communities: Conventions that an organization adopts to correctly label and secure information help strengthen information sharing.

  • protecting information systems: By ensuring that only authorized people have access to sensitive information, you help to strengthen data security and prevent information management incidents.

Use TLP for Information Dissemination

The Forum of Incident Response and Security Teams (FIRST) developed TLP to help people working in cybersecurity to manage and share information. It aims to strike the right balance between the need to share relevant information to counter threats and the need to protect sensitive information.

TLP is based on a system of colors, with each color representing the confidentiality level and distribution restriction associated with a particular piece of information.

CISA (the US Cybersecurity and Infrastructure Security Agency) provides the following definitions of TLP 2.0 levels:

TLP Level

Type of Information

TLP:RED

For the eyes and ears of individual recipients only; no further disclosure.

TLP:AMBER

Limited disclosure; recipients can only spread this on a need-to-know basis within their organization and its clients.

TLP:GREEN

Limited disclosure; recipients can spread this within their community (including peer and partner organizations).

TLP:CLEAR

Recipients can spread this to the world; there is no limit on disclosure.

Here are some examples of cybersecurity information that could be classified using the TLP levels:

TLP Level

Information Example

TLP: RED

  • Specific details about an unpatched security vulnerability that threat actors are exploiting.

  • Information about an ongoing cyber attack against an organization, including details of the techniques, tactics, and procedures the attackers are using.

  • Information about highly sensitive digital assets, such as encryption keys or privileged login credentials, where they have been compromised.

TLP: AMBER

  • Information on a recently discovered vulnerability for which a patch is not yet available, enabling security teams to prepare for corrective action.

  • Reports on past security incidents, providing information on the attackers’ methodology without revealing sensitive information.

TLP: GREEN

  • Notification of publicly available security updates and patches.

  • General threat analyses, cybersecurity trends, and security awareness tips aimed at a wider audience.

TLP: CLEAR

  • Non-sensitive cybersecurity research reports, providing information on topics related to IT security.

  • Information on cybersecurity conferences, webinars, or training courses available to the public.

  • Information on new cybersecurity laws, regulations, or policies that are not confidential.

Use PAP for Information Use

PAP made its debut in 2016 as part of the taxonomies of the Malware Information Sharing Platform (MISP), which the Computer Incident Response Center Luxembourg (CIRCL) maintains and develops.

PAP is based on the principle of categorizing potential actions according to the information they could reveal to a given threat actor. In other words, it provides guidelines on how we should use security-related information.

In France, ANSSI provides the following operational interpretation of PAP levels:

PAP Level

Type of Information

PAP: RED

Use limited to infrastructure dedicated to digital investigation and detection.

PAP: AMBER

Use limited to the passive exploitation of data (i.e., only to actions not visible to malicious sources).

PAP: GREEN

Controlled use allowing non-intrusive interactions with malicious sources.

PAP: CLEAR

Unrestricted use in compliance with law and licenses, with no constraints on the exploitation or handling of the information.

Let’s Recap!

  • Complying with protocols for the use and dissemination of information in cybersecurity is important to ensure that information continues to flow between stakeholders, while ensuring compliance with best practices for managing sensitive information.

  • The Traffic Light Protocol (TLP) is an essential tool for supporting the dissemination of cybersecurity information, providing levels of sensitivity and clear rules for information dissemination.

  • The Permissible Actions Protocol (PAP) is a tool that defines rules for using information based on its sensitivity, to minimize the risk of inadvertent disclosure of sensitive information.

You can now apply the protocols for using and disseminating information to the results of your cyber threat intelligence. Now let’s take a look at how continuous improvement in threat intelligence practices can strengthen a company’s overall security.

Example of certificate of achievement
Example of certificate of achievement