Elemendar’s AI-based READ. technology assists cyber analysts in processing cyber threat intelligence (CTI) into machine-readable, structured, defensive code, enabling them to faster defend organisations against new and complex cyber threats. READ. now allows users to apply TLP tagging (Traffic Light Protocol) at the entity level. So what does this mean?
First a little background…
Traffic Light Protocol (TLP) is a system for classifying sensitive information created by what is now the United Kingdom’s Centre for Protection of National Infrastructure in the early 2000’s. Used by both public and private sector organisations, TLP is a cornerstone of modern cyber security and the focus on the “need to share” over the older “need to know” approach that so stifled effective intelligence fusion in the past.
TLP markings encompass the following four categories that are defined as
Figure 1: TLP marking as defined by First
The importance of TLP cannot be understated as it is the cornerstone standard for information assurance that allows members from many different organisations to collaborate in forums such as ISACS and other less formal groups.
With the implementation of the STIX/ TAXI standards, opportunities for CTI analyst have opened up to extract entities from TLP marked source documents in the form of observables, indicators, campaigns, threat actor, exploit target, TTPs, courses of action and incidents in line with the STIX standard. This is what is referred to as the “entity level.”
So…if it isn’t broken, why have you fixed it?
TLP is in no way flawed in its core principle however, a TLP grading is typically attached to intelligence at the documents level. The challenge that this creates is that when an analyst moves to the entity level and extracts a STIX file from a TLP marked document, that TLP marking is lost. This situation is graphically shown below.
Figure 2: TLP and its relationship to source documents and the STIX file generation process
The situation represented in Figure 2 presents a number of risks, most obviously the possibility that a piece of intelligence can lose its TLP marking as the analyst generates a STIX file from a source document. Given that there is a shift within the CTI discipline as a whole towards a greater utilisation of the STIX/TAXI standards, the risk around the “dropping” of TLP marking becomes apparent.
TLP tagging Elemendar’s READ.
Show below is an example of an output from Elemendar’s READ.
Figure 3: TLP tagging at the entity level within Elemendar’s READ. platform
To further elaborate on Figure 3, Elemendar’s READ. platform now has the functionality to:
- Tag entities within a STIX output file with different levels of TLP marking (green, amber, red or white)
- Create “TLP clusters” within a STIX document that is either at higher or lower level of TLP marking than the original input document
- Produce outputs from READ. in the form of STIX files at a lower TLP level than the input file
The significance of this technical development is that now, with TLP tagging within the READ. tool, the security element of the CTI process is now in lock step; parallel with the driver to develop intelligence within the STIX/TAXI framework.
To conclude, cyber threat intelligence is a discipline in a constant state of flux and within this context disruptive technological developments such as TLP tagging at the entity level, signal the cutting edge of the discipline as well as pointing where security as well as collaboration is key.