Hello, welcome to the Friday, August 5th, 22 edition of the Sansonet Storm Center's Stormcast. My name

is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. Jan today wrote a brief diary

about version 2.0 of the Traffic Light Protocol or TLP assets sometimes abbreviated. The TLP was defined by

first the forum for incident response and security teams. It makes it easier to attach

guidance how information may be shared. So really important if you are, for example, sharing threat intelligence.

The protocol is pretty straightforward.

The original defined four different colors, from white to red, indicating how information

may be shared.

But as so many things, once it was used more, some issues really became clear with it.

One particular issue was the definition of the color amber.

Amber information may be shared within a participant's organization, but, well, people had sort of issues with what does it really mean?

Organizations these days are often a little bit fluent.

You have, for example, virtual CSOs or other consultants.

Are they allowed if they learn about vulnerability or an indicator of compromise to share

it with their customers?

That was a question that often came up.

So now we got the version 2.0 of the TLP and it now uses Amber and Amber Strict.

For Amber Strict, this means no, you cannot share the information if you are providing security services for the recipient.

So this will also include vendors, for example,

that may want to share that information, not just sort of one-person consultants and the like.

In version one of the TLP, we also had white as sort of the lowest color. That's now clear.

And in the past, I sometimes found that people didn't quite sort of understand a difference

...