It’s commonly agreed that 2015 is the year of threat intelligence sharing. The ecosystem of specifications and standards for threat intelligence sharing is getting mature. Which of the following classifies threat intelligence that might be shared and controls the scope of sharing? (Wentz QOTD)
A. Traffic Light Protocol (TLP)
B. Trusted Automated eXchange of Indicator Information (TAXII)
C. Structured Threat Information eXpression (STIX)
D. Security Content Automation Protocol (SCAP)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Traffic Light Protocol (TLP).
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
The Traffic Light Protocol (TLP) is a system for classifying sensitive information created in the early 2000s by the UK Government’s National Infrastructure Security Coordination Centre (NISCC; now Centre for Protection of National Infrastructure, CPNI) to encourage greater sharing of sensitive information.
The fundamental concept is for the originator to signal how widely they want their information to be circulated beyond the immediate recipient. It is designed to improve the flow of information between individuals, organizations or communities in a controlled and trusted way. It is important that everyone who handles TLP-labeled communications understands and obeys the rules of the protocol. Only then can trust be established and the benefits of information sharing realized. The TLP is based on the concept of the originator labeling information with one of four colors to indicate what further dissemination, if any, can be undertaken by the recipient. The recipient must consult the originator if wider dissemination is required.
A number of current specifications for TLP exist.
– From ISO/IEC, as part of the Standard on Information security management for inter-sector and inter-organizational communications
– From US-CERT, which is intended to provide a publicly available simple definition
– From the Forum of Incident Response and Security Teams (FIRST), which published version 1.0 of its consolidated TLP document on August 31, 2016. arising from a Special Interest Group it created to ensure that interpretations of TLP are consistent, and clear expectations exist across user communities.Source: Wikipedia
Reference
- Automated Indicator Sharing (AIS) by Cybersecurity and Infrastructure Security Agency (CISA)
- Navigating a Sea of Threat Intelligence Specifications
- A Framework for Cyber Threat Hunting Part 1: The Pyramid of Pain
- The Pyramid of Pain (DavidJBianco)
- Indicator of compromise (Wikipedia)
- Mapping zveloCTI Threat Intelligence Data to the Pyramid of Pain for Indicators of Compromise (IOC)
- Traffic Light Protocol
- What You Need To Know About Traffic Light Protocol Usage in Threat Intelligence
人們普遍認為2015 年是威脅情報共享年。 威脅情報共享的規範和標準生態系統正在變得成熟。 以下哪一項對可能共享的威脅情報進行了分類並控制了共享的範圍? (Wentz QOTD)
A. Traffic Light Protocol (TLP)
B. Trusted Automated eXchange of Indicator Information (TAXII)
C. Structured Threat Information eXpression (STIX)
D. Security Content Automation Protocol (SCAP)
Pingback: 交通燈協議 (Traffic Light Protocol :TLP) 對可能共享的威脅進行了分類和控制共享情報的範圍 – Choson資安大小事