Understand the Role of Protocols
Complying with protocols for using and disseminating information is essential in cybersecurity to ensure data confidentiality, integrity, and availability.
Tagging or marking conventions play a key role in managing cybersecurity information, especially for:
standardizing the use and sharing of information: This makes it easier to understand and use information consistently within an organization, helping to determine who can access what information and how they should handle it.
promoting alignment of information handling practices: By defining common conventions, you can ensure that your organization manages information in an efficient and compliant way.
strengthening trust between different communities: Conventions that an organization adopts to correctly label and secure information help strengthen information sharing.
protecting information systems: By ensuring that only authorized people have access to sensitive information, you help to strengthen data security and prevent information management incidents.
Use TLP for Information Dissemination
The Forum of Incident Response and Security Teams (FIRST) developed TLP to help people working in cybersecurity to manage and share information. It aims to strike the right balance between the need to share relevant information to counter threats and the need to protect sensitive information.
TLP is based on a system of colors, with each color representing the confidentiality level and distribution restriction associated with a particular piece of information.
CISA (the US Cybersecurity and Infrastructure Security Agency) provides the following definitions of TLP 2.0 levels:
TLP Level | Type of Information |
| For the eyes and ears of individual recipients only; no further disclosure. |
| Limited disclosure; recipients can only spread this on a need-to-know basis within their organization and its clients. |
| Limited disclosure; recipients can spread this within their community (including peer and partner organizations). |
| Recipients can spread this to the world; there is no limit on disclosure. |
Here are some examples of cybersecurity information that could be classified using the TLP levels:
TLP Level | Information Example |
|
|
|
|
|
|
|
|
Use PAP for Information Use
PAP made its debut in 2016 as part of the taxonomies of the Malware Information Sharing Platform (MISP), which the Computer Incident Response Center Luxembourg (CIRCL) maintains and develops.
PAP is based on the principle of categorizing potential actions according to the information they could reveal to a given threat actor. In other words, it provides guidelines on how we should use security-related information.
In France, ANSSI provides the following operational interpretation of PAP levels:
PAP Level | Type of Information |
| Use limited to infrastructure dedicated to digital investigation and detection. |
| Use limited to the passive exploitation of data (i.e., only to actions not visible to malicious sources). |
| Controlled use allowing non-intrusive interactions with malicious sources. |
| Unrestricted use in compliance with law and licenses, with no constraints on the exploitation or handling of the information. |
Let’s Recap!
Complying with protocols for the use and dissemination of information in cybersecurity is important to ensure that information continues to flow between stakeholders, while ensuring compliance with best practices for managing sensitive information.
The Traffic Light Protocol (TLP) is an essential tool for supporting the dissemination of cybersecurity information, providing levels of sensitivity and clear rules for information dissemination.
The Permissible Actions Protocol (PAP) is a tool that defines rules for using information based on its sensitivity, to minimize the risk of inadvertent disclosure of sensitive information.
You can now apply the protocols for using and disseminating information to the results of your cyber threat intelligence. Now let’s take a look at how continuous improvement in threat intelligence practices can strengthen a company’s overall security.