What is TLP?
TLP is a widely used standard for exchanging cybersecurity-related information in the incident response, digital forensics and cyber threat intelligence communities. It was initially established in 1999. In 2015, FIRST took a leading role in unifying and standardising TLP.
TLP uses colour coding to:
1. give an indication about the sensitivity of cybersecurity-related information
2. specify the sharing restrictions associated with this information.
The most relevant TLP colours are green, amber, and red. This explains why the protocol was named after traffic lights.
Cybersecurity defence teams such as CSIRTs, CERTs such as ourselves, PSIRTs, and NCSCs use it as a de facto standard for exchanging information with peers, partners and constituents. In many fora, such as FIRST, membership is subject to the use of TLP according to the applicable guidelines.
TLP is not a classification scheme, nor is it legally binding. As a recipient, you could break the TLP. But by doing so you would jeopardise the trust placed in you by the community. And without trust there can be no sharing of sensitive data. In other words, if you play with fire, you risk getting burned.
How CERT-EU uses TLP
At CERT-EU, all our teams use TLP, including our Offensive Security team (which doesn’t offend anyone, at least not intentionally).
We add TLP markings to most — if not all — of our deliverables, internal procedures, presentations, and exchange of information with third parties. We also incorporate a TLP definition section at the end of certain publications, such as our Threat Alerts, Threat Memos, Security Guidance documents, and Cyber Briefs.
Tip: See the Publications section of our website for examples.
We add a brief summary of the TLP definitions in our publications for two reasons:
- Some of the recipients of the publication might not be familiar with TLP. While we might expect all the defenders in this universe and beyond to know what TLP:AMBER and TLP:WHITE mean, we shouldn’t assume the same holds true for all recipients. Sysadmins, senior management, and policy-makers are some examples of groups of people who might read one of our publications, without being familiar with TLP.
- Rather than pointing to the FIRST TLP page, we use a simplified version to help recipients understand TLP, and communicate its core message: That the dissemination of the document they have in their hands is — or is not — restricted.
Incidentally, including TLP definitions in publications instead of pointing to the aforementioned FIRST TLP page, also helps us once in a blue moon when … the standard changes and TLP:WHITE becomes TLP:CLEAR.
Moving from version 1 to version 2
We welcome TLP version 2, which we believe to be clearer (no pun intended).
As a FIRST member, we are also fully on board with FIRST’s recommendation to use version 2 as of August 2022. But unfortunately, practical constraints keep us from switching to version 2 overnight.
We have automated the processes to add TLP markings (and their corresponding definitions when applicable) to our documents. We need to adapt these processes to the new TLP version and verify that the full chain — from document authoring to publication — ‘speaks’ TLP version 2 before we can move to the new version.
This should not take us very long. But until that time, we will continue using TLP version 1.
To facilitate the transition for us and the whole community of TLP aficionados, FIRST published a newsroom item on August 5, which highlights the most significant changes between the two versions of the TLP.
Besides clarifying the differences, FIRST expresses its hope that ‘the industry embraces TLP version 2.0 quickly and will be fully in use by January 2023’. We believe this will indeed provide enough time for us to move to the new version of the standard and educate our constituents about the changes.
To jump-start this endeavour, we have prepared comparison tables between the two versions, which we will be using to adapt our processes and inform our constituents. We have included them below in the hope that you will find them useful.
Definitions of the various TLP markings
The table below summarises the differences and similarities in the definitions of TLP markings between the two versions.
|TLP marking||Version 1.0||Version 2.0||Comments|
|TLP:RED||Not for disclosure, restricted to participants only||For the eyes and ears of individual recipients only, no further disclosure||Improved, clearer language|
|TLP:AMBER||Limited disclosure, restricted to participants’ organisations||Limited disclosure, recipients can only spread this on a need-to-know basis within their organisation and its clients||While version 1.0 seems to limit TLP:AMBER to participants’ organisations only, this is not the case as it allows dissemination to clients, as in version 2.0|
|TLP:AMBER+STRICT||(doesn’t exist in this version)||Limited disclosure, recipients can only spread this on a need-to-know basis within their organisation only||Version 1 .0 authorised the source to specify additional and intentional limits. Several entities, including us, had thus been restricting TLP:AMBER in certain contexts by appending STRICT. This convention is now part of the standard.|
|TLP:GREEN||Limited disclosure, restricted to the community | Limited disclosure, recipients can spread this within their community||Limited disclosure, recipients can spread this within their community||Improved language though community remains generic|
|TLP:WHITE||Disclosure is not limited||(doesn’t exist in this version, replaced by TLP:CLEAR)||-|
|TLP:CLEAR||(doesn’t exist in this version, formerly known as TLP:WHITE)||Recipients can spread this to the world, there is no limit on disclosure||-|
Use of TLP marking by information sources
The table below summarises how sources of information can use a TLP marking in version 1.0 vs. version 2.0.
|TLP marking||Version 1.0||Version 2.0|
|TLP:RED||Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused||Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organisations involved|
|TLP:AMBER||Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organisations involved||ibid.|
|TLP:AMBER+STRICT||(doesn’t exist in this version)||If the source wants to restrict sharing to the (recipient) organisation (including theirs) only, they must specify TLP:AMBER+STRICT|
|TLP:GREEN||Sources may use TLP:GREEN when information is useful for the awareness of all participating organisations as well as with peers within the broader community or sector||Recipients may share TLP:GREEN information with peers and partner organisations within their community, but not via publicly accessible channels|
|TLP:WHITE||Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release||(doesn’t exist in this version, replaced by TLP:CLEAR)|
|TLP:CLEAR||(doesn’t exist in this version, formerly known as TLP:WHITE)||Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release|
Note that sources:
- can use TLP:AMBER the same way in both versions
- can use TLP:CLEAR in v 2.0 the same way they were using TLP:WHITE in v 1.0.
Sharing of TLP-marked information by recipients
Finally, the table below summarises how recipients may share information marked with a given TLP label from version 2.0, compared to version 1.0.
|TLP marking||Version 1.0||Version 2.0|
|TLP:RED||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person||Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting|
|TLP:AMBER||Recipients may only share TLP:AMBER information with members of their own organisation, and with clients or customers who need to know the information to protect themselves or prevent further harm||Recipients may share TLP:AMBER information with members of their own organisation and its clients, but only on a need-to-know basis to protect their organisation and its clients and prevent further harm|
|TLP:AMBER+STRICT||(doesn’t exist in this version)||Recipients may only share TLP:AMBER information with members of their own organisation, and only on a need-to-know basis to protect their organisation and prevent further harm (to their organisation)|
|TLP:GREEN||Recipients may share TLP:GREEN information with peers and partner organisations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community||Recipients may share TLP:GREEN information with peers and partner organisations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defence community|
|TLP:WHITE||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction||(doesn’t exist in this version, replaced by TLP:CLEAR)|
|TLP:CLEAR||(doesn’t exist in this version, formerly known as TLP:WHITE)||Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction|
Note that recipients:
- cannot share TLP:AMBER+STRICT outside of their organisation
- can share TLP:CLEAR in v 2.0 the same way they were sharing TLP:WHITE in v 1.0.