Add TLP Classification Level to Artifacts, with Associated Behavior

In order to use Resilient in an MSSP environment, we would like to be able to classify the confidentiality of each artifact according to the Traffic Light Protocol, and use this classification to configure the relating functionalities of Resilient.

The classification should be used in integrations with Threat Information Platforms.

The classification should also affect how the system relates artifacts across incidents. E.g. Artifacts tagged as TLP:Red should only be related within the originating tenant while artifacts tagged as TLP:Amber may be related across multiple tenants.

  • Guest
  • May 16 2018
  • Future consideration
  • Attach files
  • Guest commented
    5 Feb, 2019 01:39pm

    The TLP need to be set on each IOC/Artifact. So the color of the Icon that show a hit could be the TLP color coding, (and not just the actual red). 

    The TLP of the IOC decide what kind of sharing can be done out of the incident, that mean that if a TLP RED is coming from an internal TI Platform, this IOC should not be check against external TI from our OTB TI list.

    The TLP of the Incident is the max of the TLP of each IOC/Artifact

  • Admin
    REED SHEA commented
    31 Jan, 2019 10:38pm

    We'd target doing this via "marking" objects in STIX, most likely. Are there examples of good (or bad) approaches that you would suggest we look at?

  • Guest commented
    25 Jan, 2019 12:34pm

    Sample of deployment of this use case, based on rules & scripts

  • Guest commented
    1 Jun, 2018 08:04am

    More information CERT uSage of TLP: https://www.certsi.es/en/tlp

    TLP is a standard evaluation in CERT SI group available in all central banks accross the globe.

    How to use it

    The author must check the information with appropriate color to indicate scope TLP is the dissemination of such information, usually including the text "TLP:COLOR" in the header and footer of the document, using the colors on the table above.

    If the recipient needs to disseminate that information with third parties beyond the scope of the TLP designation indicated, should refer to the source of the information.

    Why using it?

    TLP is a simple and intuitive scheme to indicate when and how sensitive is the information on cybersecurity that will be shared, and facilitates collaboration with other entities or organizations at national and international level.

    How TLP relates to other classification schemes?

    TLP is not applicable to classified information, as is provided for in the Security Classification Information National Authority for the Protection of Classified Information

    TLP designation is not a category or subcategory of these standards , and should only be used operationally.

    Who does use TLP?

    TLP is used by public and private organizations in the field of cybersecurity, both in Spain and in other countries like United States, Australia, Canada, Finland, France, Germany, Hungary, Italy, Japan, Netherlands, New Zealand, Norway, Sweden, Switzerland, and United Kingdom.

    For more info about the TLP standard, please visit www.first.org/tlp

  • Guest commented
    16 May, 2018 12:40pm

    (Copy of Ticket #9407)