As the French national cybersecurity agency, ANSSI has to share operational information with a number of different communities and entities. Sometimes this operational information must be used with caution.
Taking this into account, setting up rules specifying how such information (whether it is of a technical nature or not) should be shared and handled participates in strengthening trust within the cybersecurity community.
Beyond the question of sharing, the way shared operational information such as, for instance, indicators of compromise, is handled may inform an external observer about the knowledge and operational capabilities of an organization.
As a result, agreeing on a clear and intelligible marking policy can help normalizing exchanges of information without compromising operational efficiency. It also facilitates harmonization of practices by contributing to a homogeneous handling of the information.
In order to answer those needs, ANSSI applies a double marking on its operational information:
- TLP (Traffic Light Protocol) marking, for sharing information;
- PAP (Permissible Actions Protocol) marking, for handling information.
By combining these two internationally known marking conventions, the objective is to offer sufficient granularity to cover for both sharing and handling constraints in most use cases.
The marking used by ANSSI, the different sharing policies it applies and recommended associated security measures are described further herunder. In order to facilitate the understanding of these policies, use cases and a FAQ are also available.
1. TLP marking for sharing
Initiated by FIRST (Forum of Incident Response and Security Teams) which shares a standardized definition of it, the Traffic Light Protocol (TLP) is a convention widely used by incident response professionals.
With a scale on which each level is associated with a color, TLP provides a way to indicate how a given information can be shared.
In coherence with its operational needs, and for each TLP level, ANSSI details hereunder the operational interpretation applicable to the information that it produces and shares.
| Operational interpretation of the different TLP levels applicable to operational information shared by ANSSI | |
|---|---|
|
TLP:RED
|
Limited sharing within a legal entity, with need-to-know principle applying. For instance:
|
|
TLP:AMBER
|
Sharing limited to identified entities bound by a commitment with the issuer (e.g. a closed community). For instance:
|
|
TLP:GREEN
|
Free sharing within a clearly identified community (open or closed), further sharing allowed within these communities (contractors included). For instance:
|
|
TLP:CLEAR
|
Public sharing, without restriction. Free sharing between communities, including on the Internet. |
A community is a set of actors who share interests, constraints or even common rules in order to solve a problem or deliver a service. It is open if its members are informally linked together and when membership is generally implicit. It is closed if its members are officially linked together (via charter, contract, law…) and when membership is necessarily explicit.
NB: in version 1.0 of TLP, the TLP:CLEAR tagging was called TLP:WHITE; older publications may still contain this tag, which has the same definition.
2. PAP marking for handling
The Permissible Action Protocol (PAP) was introduced in 2016 in the taxonomies of MISP (Malware Information Sharing Platform), which is maintained and developed by the CIRCL.
PAP specifies how far a given information may be exposed. The idea is to define a set of possible actions taking into account the information it may reveal to a malicious actor. Like TLP, PAP has four different levels, with an identical color code.
ANSSI details hereunder the operational interpretation applicable to each PAP level.
| Operational interpretation of the different PAP levels applicable to operational information shared by ANSSI | |
|---|---|
|
PAP:RED
|
Handling limited to infrastructures dedicated to investigation and detection:
For instance:
The use of specialised IaaS/SaaS services is allowed if their contract guarantees the confidentiality of the handled data. |
|
PAP:AMBER
|
Handling limited to a passive exploitation of data, ie. only to actions which are not visible by malicious sources. For instance:
Interactions, even indirect, with the system or infrastructure of the threat actor are forbidden. |
|
PAP:GREEN
|
Controlled handling, allowing for non intrusive interactions with malicious sources. For instance:
|
|
PAP:CLEAR
|
Free handling in compliance with law and licences, no constraints relating to exploitation or handling of the information. |
NB: to be consistent with the relabelling of TLP:WHITE into TLP:CLEAR, ANSSI has decided to use the PAP:CLEAR label.
3. Sharing policies used by ANSSI
By combining the sharing (TLP) and handling (PAP) marking described above, it becomes possible to define several policies that have enough granularity to cover the most common operational situations. Nevertheless, some TLP/PAP combinations are deliberately not applicable (N/A):
|
PAP:RED
|
PAP:AMBER
|
PAP:GREEN
|
PAP:CLEAR
|
|
|
TLP:RED
|
P1 | P2 | N/A | N/A |
|
TLP:AMBER
|
P3 | P4 | P5 | N/A |
|
TLP:GREEN
|
N/A | P6 | P7 | NA |
|
TLP:CLEAR
|
N/A | N/A | N/A | P8 |
Only eight consistent TLP/PAP combinations have been selected by ANSSI; they are detailed in the tables hereunder. For each of them, examples of situations where they should apply are given.
P1 : TLP:RED/PAP:RED (click here for a detailed description)
| P1
TLP:RED
PAP:RED
|
This policy is for instance appropriate when the malicious source must not suspect it has been identified, in order to enable effective protection from it in the future. |
|---|---|
| Sharing | Sharing limited within the internal perimeter of an entity, on a need-to-know basis; this may apply to one or more clearly identified individuals, or one or more individuals within an organisational unit or project team, including embedded contractors who operate on the perimeter of the infrastructure in question. No further sharing is possible. |
| Handling |
Handling limited to infrastructures dedicated to investigation and detection:
|
P2 : TLP:RED/PAP:AMBER (click here for a detailed description)
| P2
TLP:RED
PAP:AMBER
|
This policy is for instance appropriate in the case of an intervention on a potentially compromised network. |
|---|---|
| Sharing | Sharing limited within the internal perimeter of an entity, on a need-to-know basis; this may apply to one or more clearly identified individuals, or one or more individuals within an organisational unit or project team, including embedded contractors who operate on the perimeter of the infrastructure in question. No further sharing is possible. |
| Handling |
Passive and not directly visible from malicious sources (if the latter make an effort to find out more). Use for detection, qualification, search campaigns, server log searches, etc. if necessary on a compromised infrastructure. Potentially open source search insofar as the malicous source would not be able to observe such search. |
P3 : TLP:AMBER/PAP:RED (click here for a detailed description)
| P3
TLP:AMBER
PAP:RED
|
This policy is appropriate for needs similar to the P1 policy (the malicious source must not suspect it has been identified) but for a wider sharing perimeter, which means it is relevant in cases where the need for protection concerns several entities, or a community subset. |
|---|---|
| Sharing | One or several well identified legal entities (which may belong to distinct closed communities), with which they have a contractual (or more generally a formal) link, with no possibility of further sharing on their part. |
| Handling |
Handling limited to infrastructures dedicated to investigation and detection:
|
P4 : TLP:AMBER/PAP:AMBER (click here for a detailed description)
| P4
TLP:AMBER
PAP:AMBER
|
This policy is for instance appropriate in cases where one wants to reach entities which are under a particular threat or are the subject of a malicious campaign. As the case may be, entities receiving the information may be directly concerned or may be contractors acting for the benefit of their clients: – in the former case, targeting is limited and the perimeter of recipients is known; – in the latter case, contractors are autonomous in identifying the entities likely to be affected. |
|---|---|
| Sharing | One or several well identified legal entities (which may belong to distinct closed communities), with which they have a contractual (or more generally a formal) link, with no possibility of further sharing on their part. |
| Handling |
Passive and not directly visible from malicious sources (if the latter make an effort to find out more). Use for detection, qualification, search campaigns, server log searches, etc. if necessary on a compromised infrastructure. Potentially open source search insofar as the malicous source would not be able to observe such search. |
P5 : TLP:AMBER/PAP:GREEN (click here for a detailed description)
| P5
TLP:AMBER
PAP:GREEN
|
This policy is for instance appropriate, in cases where one wants to allow clearly identified entities to take a proactive stance against a threat, such as blocking traffic from a malicious source. |
|---|---|
| Sharing | One or several well identified legal entities (which may belong to distinct closed communities), with which they have a contractual (or more generally a formal) link, with no possibility of further sharing on their part. |
| Handling | Potentially active and visible from the malicious source as long as it is not intrusive, which can include blocking the source of the malicious traffic. |
P6 : TLP:GREEN/PAP:AMBER (click here for a detailed description)
| P6
TLP:GREEN
PAP:AMBER
|
This policy is appropriate for needs similar to the P4 policy but for a wider sharing perimeter, thus reaching an entire community. It will most probably be an entire sector and this may lead to a very wide sharing, but nonetheless not public. Unlike the P4 policy, the community will be able to exchange more freely between its members (typically through a user club), as the TLP:GREEN level favors intra-community exchanges. It will more probably be a community of constituents which will use the information to protect its own infrastructures (using their service providers where necessary). |
|---|---|
| Sharing | One or several well identified open communities. |
| Handling |
Passive and not directly visible from malicious sources (if the latter make an effort to find out more). Use for detection, qualification, search campaigns, server log searches, etc. if necessary on a compromised infrastructure. Potentially open source search insofar as the malicous source would not be able to observe such search. |
P7 : TLP:GREEN/PAP:GREEN (click here for a detailed description)
| P7
TLP:GREEN
PAP:GREEN
|
This policy is appropriate for sharing widely an information that may be used directly. |
|---|---|
| Sharing | One or several well identified open communities. |
| Handling | Potentially active and visible from the malicious source as long as it is not intrusive, which can include blocking the source of the malicious traffic. |
P8 : TLP:CLEAR/PAP:CLEAR (click here for a detailed description)
| P8
TLP:CLEAR
PAP:CLEAR
|
This policy is appropriate for the public sharing of an operational information. |
|---|---|
| Sharing | Public sharing. |
| Handling | Free handling in compliance with law and licences. |
OutsideTLP:GREEN and TLP:CLEAR, it is not possible for a third party who has indirectly received an information originating from ANSSI to share this information in turn.
In case of need such a recipient should contact ANSSI along with the initial recipient; ANSSI will then formaly authorise further sharing or will take upon itself to share this information with a new contact.
4. Security measures
This sharing and handling policy is not intended to impose a set of rules for information protection.
However, givent TLP and PAP marking, it is highly recommended to apply the measures described in the table hereunder. As the case may be, these measures can be further detailed in a contractual framework.
| TLP:RED PAP:RED | TLP:RED PAP:AMBER | TLP:AMBER PAP:RED | TLP:AMBER PAP:AMBER | TLP:AMBER PAP:GREEN | TLP:GREEN PAP:AMBER | TLP:GREEN PAP:GREEN | TLP:CLEAR PAP:CLEAR | |
| Setting up an exchange framework | ✔ | ✔ | ✔ | ✔ | ✔ |
No specific measures for these combinations. However, it is worth paying attention to the sharing and handling terms of the shared information. |
||
|---|---|---|---|---|---|---|---|---|
| Encrypting data in transit | ✔ | ✔ | ✔ | ✔ | ✔ | |||
| Ensuring transfer traceability | ✔ | ✔ | ✔ | ✔ | ✔ | |||
| Controlling access to stored data | ✔ | ✔ | ✔ | ✔ | ✔ | |||
| Ensuring access traceability | ✔ | ✔ | ||||||
The table below details the security measures listed hereabove; these are deliberately generic and must be adpated or supplemented according to the specific situations considered.
| Associated security measures | |
| Setting up an exchange framework |
Transferof data must be formally agreed upon beforehand. E.g.: general terms and conditions of use, Open Licence, existing contract with additional clauses, if necessary. |
|---|---|
| Encrypting data in transit |
The confidentiality of data in transit over an uncontrolled infrastructure must be ensured. E.g.: encryption of links (ex. : TLS, SSH, SFTP, IPSec) |
| Ensuring transfer traceability |
The transfer of data must be traceable: it must be possible to determine the source organisation and the recipient organisation as well as when the transfer was made. E.g.: email archiving, technical or functional logs, use of PGP or of X.509 certificates (mutual authentication), minutes or report of a meeting. |
| Controlling access to stored data |
Data and its backups must be stored in such a way as to preserve confidentiality (vis-à-vis other internal teams or third parties). E.g.: encryption of storage spaces, nominative access control, use of a dedicated infrastructure. |
| Ensuring access traceability |
Access to data must be traced (who, when, why) and records must be maintained over time, in accordance with applicable regulatory requirements. E.g.: functional and technical access control logs (given level, application or system), |
It is the stakeholders’ responsibility to implement the appropriate security measures taking into account the expectations expressed by the policies defined above. They should be implemented consistently throughout the information life cycle.
Information which is no longer used must be destroyed if ANSSI expressly requires it. Otherwise they are meant to be archived, in accordance with the constraints associated with their marking.
The recipient of the information may contact ANSSI in order to confirm the level of marking or in order to adapt the measures relating to archiving. It is also free to delete the information when it considers it is no longer relevant (at the end of the interest period for instance).
