1. Frequently asked questions
Listed hereunder are the most frequent questions that may be asked about the marking policy of ANSSI for its operational information.
☞ Click on the questions to display the answers.
1. May the information received be used for the protection of all kind of information systems (hereafter « IS ») (e.g. vital/critical IS or not, essential IS or not?)
Yes, as long as the requirements of the given TLP and PAP levels are respected and as long as use suitability has been verified.
2. For the protection of the IS of my entity, may the information received be shared with a contractor (for detection or incident response)?
| TLP:CLEAR | TLP:GREEN | TLP:AMBER | TLP:RED |
| Yes, regardless of the type of contractor. | Yes, regardless of the type of contractor, exclusively for the protection of the entity’s IS. | Yes, regardless of the type of contractor, exclusively for the protection of the entity’s IS. | No, except if it is an embedded contractor. |
⚠ Warning: the contractor has no right to share the information received, in particular with other clients, except for TLP:CLEAR information. ⚠
3. May the information received be shared with a parent entity (Group) or with a subsidiary entity?
| TLP:CLEAR | TLP:GREEN | TLP:AMBER | TLP:RED |
| Yes | Yes | Yes | No |
⚠ Warning: if the parent entity or the subsidiary entity in turn wishes to share a TLP:AMBER information, it musk seek express permission from ANSSI to do so. ⚠
4. Is it possible to share the information received with critical suppliers of my supply-chain (identified in my risk assessment), that may have an impact on the continuity of service or security of my business?
| TLP:CLEAR | TLP:GREEN | TLP:AMBER | TLP:RED |
| Yes | Yes | No, unless there is a contractual framework between the constituent and its supplier where both parties commit to guarantee the sharing and handling constraints set by ANSSI | No |
⚠ Warning: the supplier has no right to share the information received except for TLP:CLEAR information. ⚠
5. May the information received be stored or used in clear on an IaaS or SaaS public cloud service dedicated to investigation, log exploitation or detection?
| PAP:CLEAR | PAP:GREEN | PAP:AMBER | PAP:RED |
| Yes | Yes | Yes | Yes |
⚠ Warning: this investigation or detection infrastructure must have been designed and secured so as to ensure isolation in case the supervised IS is compromised. ⚠
6. May the information received be used to search on a production IS, including in the cloud?
| PAP:CLEAR | PAP:GREEN | PAP:AMBER | PAP:RED |
| Yes | Yes | Yes | No |
7. May the information received be used through a local detection and response solution (e.g. Endpoint detection response) deployed on workstations or production servers?
| PAP:CLEAR | PAP:GREEN | PAP:AMBER | PAP:RED |
| Yes | Yes | Yes for detection No for blocking |
No |
8. Are open source searches or submissions allowed with the information received?
- For searches (e.g.: using search engines or public knowledge databases accessible on the Internet in order to pivot on the information):
| PAP:CLEAR | PAP:GREEN | PAP:AMBER | PAP:RED |
| Yes | Yes | Yes | No |
- For submission of the received information, or of the files containing such information, on an online analysis service, which can share this information or the results of such analysis (e.g.: Virus Total, urlscan, online sandboxes):
| PAP:CLEAR | PAP:GREEN | PAP:AMBER | PAP:RED |
| Yes | Yes | No | No |
⚠ Warning: in general, publicly accessible knowledge bases have terms and conditions of use which may differ according to the service subscribed. You must ensure that the offer you have subscribed to commits to not sharing you searches with third parties ⚠
9. May the information received be searched on a public knowledge base disconnected from public networks (e.g.: public base replicated on an infrastructure not connected to the Internet?)
| PAP:CLEAR | PAP:GREEN | PAP:AMBER | PAP:RED |
| Yes | Yes | Yes | Yes |
10. Is the blocking of network or aplication flows, on the basis of the information received, possible (e.g. blocking of an IP address on a firewall or of a web address on a proxy server)?
| PAP:CLEAR | PAP:GREEN | PAP:AMBER | PAP:RED |
| Yes | Yes | No | No |
11. Is it possible to use PAP:RED information on a dedicated workstation disconnected from the production IS (and not exposed to a public network)?
Yes, this can be considered as an infrastructure dedicated to investigations and detections.
12. How does ANSSI consider information received from third parties tagged only with TLP?
ANSSI only apllies its interpretation of TLP/PAP marking to the information it produces itself. Information received from outside and only tagged with TLP is interpreted in accordance with the FIRST’s definition. However, ANSSI encourages its partners to detail the conditions of handling of the information they share by marking it with a PAP tag or by indicating the limitations associated with its use.
2. Some use cases
In order to get started with this sharing and handling policy, a few use cases are described in the tables hereunder. For each case details are given regarding who can use the operational information received and on which perimeter.
Hunting
|
TLP:CLEAR PAP:CLEAR |
Who? | Anyone |
TLP:AMBER PAP:AMBER |
Who? | The constituent or a contractor |
| Where? | Anywhere | Where? | On all its infrastructure | ||
|
TLP:GREEN PAP:GREEN |
Who? | A member of the community |
TLP:AMBER PAP:RED |
Who? | The constituent or a contractor |
| Where? | On all its infrastructure | Where? | On a dedicated investigation network, for instance after having collected elements of interest | ||
|
TLP:GREEN PAP:AMBER |
Who? | A member of the community |
TLP:RED PAP:AMBER |
Who? | The constituent or its embedded contractor |
| Where? | On all its infrastructure | Where? | On all its infrastructure | ||
|
TLP:AMBER PAP:GREEN |
Who? | The constituent or a contractor |
TLP:RED PAP:RED |
Who? | The constituent or its embedded contractor |
| Where? | On all its infrastructure | Where? | On a dedicated investigation network, for instance after having collected elements of interest |
Real time detection
|
TLP:CLEAR PAP:CLEAR |
Who? | Anyone |
TLP:AMBER PAP:AMBER |
Who? | The constituent or a contractor |
| Where? | Anywhere | Where? | On the constituent’s infrastructure On the constituent’s cloud based infrastructure if there is an agreement with the cloud provider which provides for the exclusive control of its data by the constituent |
||
|
TLP:GREEN PAP:GREEN |
Who? | A member of the community |
TLP:AMBER PAP:RED |
Who? | The constituent or a contractor |
| Where? | On all its infrastructure | Where? | On a dedicated investigation network | ||
|
TLP:GREEN PAP:AMBER |
Who? | A member of the community |
TLP:RED PAP:AMBER |
Who? | The constituent or its embedded contractor |
| Where? | On all its infrastructure | Where? | On the constituent’s infrastructure On the constituent’s cloud based infrastructure if there is an agreement with the cloud provider which provides for the exclusive control of its data by the constituent |
||
|
TLP:AMBER PAP:GREEN |
Who? | The constituent or a contractor |
TLP:RED PAP:RED |
Who? | The constituent or its embedded contractor |
| Where? | On all its infrastructure | Where? | On a dedicated investigation network |
Real time blocking
|
TLP:CLEAR PAP:CLEAR |
Who? | Anyone |
TLP:AMBER PAP:AMBER |
Who? | N/A |
| Where? | Anywhere | Where? | N/A | ||
|
TLP:GREEN PAP:GREEN |
Who? | A member of the community |
TLP:AMBER PAP:RED |
Who? | N/A |
| Where? | On all its infrastructure | Where? | N/A | ||
|
TLP:GREEN PAP:AMBER |
Who? | N/A |
TLP:RED PAP:AMBER |
Who? | N/A |
| Where? | N/A | Where? | N/A | ||
|
TLP:AMBER PAP:GREEN |
Who? | The constituent or a contractor |
TLP:RED PAP:RED |
Who? | N/A |
| Where? | On all its infrastructure | Where? | N/A |
