The Traffic Light Protocol (TLP) is a standardized system for sharing sensitive information. It uses color codes to indicate how widely information can be distributed, helping organizations control and protect sensitive data during incident response and threat intelligence sharing. Read more: https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage

TLP designation is a crucial metadata field for IOCs, helping determine how widely indicator information can be shared with other parties.

<aside> The TLP designation is particularly important when dealing with custom-crafted or targeted malware samples, as these may require more restricted sharing protocols to protect sensitive information about potential threats.

</aside>

TLP helps ensure proper information sharing during incident response, especially when communicating with:

• Internal stakeholders and teams
• External partners and organizations
• Information sharing communities (ISACs)
• Regulatory bodies and law enforcement

Within this Incident Management System, TLP markings help automate and standardize information sharing decisions, ensuring sensitive IOCs and incident details are shared appropriately while maintaining security and compliance requirements.

Applicability

In the Incident Management System, TLP may be assigned to Incidents and Indicators of Compromise (IOCs)

TLP Color Codes

While it is ultimately up to each organization to assign meanings to their TLP designations, here are some general guidelines.

• TLP:CLEAR
  • Information can be shared freely without restrictions
  • Use when sharing public information or general cybersecurity best practices
• TLP:GREEN
  • Limited disclosure within the community and partner organizations
  • Appropriate for IOCs and incident details that can benefit the wider security community
• TLP:AMBER
  • Limited disclosure to specific organizations or groups
  • Used for sensitive information that requires controlled sharing with trusted partners
• TLP:AMBER+STRICT
  • Highly restricted sharing within the organization and specific named parties
  • For sensitive IOCs or details about targeted threats that require careful distribution
• TLP:RED
  • No disclosure beyond specific named recipients
  • Reserved for the most sensitive information about active incidents or critical vulnerabilities