Conduct Your Cybersecurity Watch

4 heures
Facile

Ce cours est visible gratuitement en ligne.

course.header.alt.is_certifying

J'ai tout compris !

Mis à jour le 02/07/2024

Comply With Protocols for Using and Disseminating Information

Understand the Role of Protocols

Complying with protocols for using and disseminating information is essential in cybersecurity to ensure data confidentiality, integrity, and availability.

Tagging or marking conventions play a key role in managing cybersecurity information, especially for:

standardizing the use and sharing of information: This makes it easier to understand and use information consistently within an organization, helping to determine who can access what information and how they should handle it.
promoting alignment of information handling practices: By defining common conventions, you can ensure that your organization manages information in an efficient and compliant way.
strengthening trust between different communities: Conventions that an organization adopts to correctly label and secure information help strengthen information sharing.
protecting information systems: By ensuring that only authorized people have access to sensitive information, you help to strengthen data security and prevent information management incidents.

Use TLP for Information Dissemination

The Forum of Incident Response and Security Teams (FIRST) developed TLP to help people working in cybersecurity to manage and share information. It aims to strike the right balance between the need to share relevant information to counter threats and the need to protect sensitive information.

TLP is based on a system of colors, with each color representing the confidentiality level and distribution restriction associated with a particular piece of information.

CISA (the US Cybersecurity and Infrastructure Security Agency) provides the following definitions of TLP 2.0 levels:

TLP Level	Type of Information
`TLP:RED`	For the eyes and ears of individual recipients only; no further disclosure.
`TLP:AMBER`	Limited disclosure; recipients can only spread this on a need-to-know basis within their organization and its clients.
`TLP:GREEN`	Limited disclosure; recipients can spread this within their community (including peer and partner organizations).
`TLP:CLEAR`	Recipients can spread this to the world; there is no limit on disclosure.

Here are some examples of cybersecurity information that could be classified using the TLP levels:

TLP Level	Information Example
`TLP: RED`	Specific details about an unpatched security vulnerability that threat actors are exploiting. Information about an ongoing cyber attack against an organization, including details of the techniques, tactics, and procedures the attackers are using. Information about highly sensitive digital assets, such as encryption keys or privileged login credentials, where they have been compromised.
`TLP: AMBER`	Information on a recently discovered vulnerability for which a patch is not yet available, enabling security teams to prepare for corrective action. Reports on past security incidents, providing information on the attackers’ methodology without revealing sensitive information. Note that TLP 2.0 adds the TLP:AMBER+STRICT designation, which restricts sharing to within the organization only.
`TLP: GREEN`	Notification of publicly available security updates and patches. General threat analyses, cybersecurity trends, and security awareness tips aimed at a wider audience.
`TLP: CLEAR`	Non-sensitive cybersecurity research reports, providing information on topics related to IT security. Information on cybersecurity conferences, webinars, or training courses available to the public. Information on new cybersecurity laws, regulations, or policies that are not confidential.

Use PAP for Information Use

PAP made its debut in 2016 as part of the taxonomies of the Malware Information Sharing Platform (MISP), which the Computer Incident Response Center Luxembourg (CIRCL) maintains and develops.

PAP is based on the principle of categorizing potential actions according to the information they could reveal to a given threat actor. In other words, it provides guidelines on how we should use security-related information.

In France, ANSSI provides the following operational interpretation of PAP levels:

PAP Level	Type of Information
`PAP: RED`	Use limited to infrastructure dedicated to digital investigation and detection.
`PAP: AMBER`	Use limited to the passive exploitation of data (i.e., only to actions not visible to malicious sources).
`PAP: GREEN`	Controlled use allowing non-intrusive interactions with malicious sources.
`PAP: CLEAR`	Unrestricted use in compliance with law and licenses, with no constraints on the exploitation or handling of the information.

Let’s Recap!

Complying with protocols for the use and dissemination of information in cybersecurity is important to ensure that information continues to flow between stakeholders, while ensuring compliance with best practices for managing sensitive information.
The Traffic Light Protocol (TLP) is an essential tool for supporting the dissemination of cybersecurity information, providing levels of sensitivity and clear rules for information dissemination.
The Permissible Actions Protocol (PAP) is a tool that defines rules for using information based on its sensitivity, to minimize the risk of inadvertent disclosure of sensitive information.

You can now apply the protocols for using and disseminating information to the results of your cyber threat intelligence. Now let’s take a look at how continuous improvement in threat intelligence practices can strengthen a company’s overall security.