Amendment proposal to TLP 2.0 - TLP:UNCLEAR (1st April)
Find a file
2023-05-01 18:48:48 +02:00
.github/workflows Create .github/workflows/jekyll-gh-pages.yml 2023-04-04 08:42:07 +02:00
images new: [images] tlp:unclear 2023-04-04 08:24:34 +02:00
_config.yml chg: [jekyll] add default theme 2023-05-01 18:45:40 +02:00
README.md chg: [doc] clean-up + ref to GitHub added 2023-05-01 18:48:48 +02:00

Traffic Light Protocol Special Interest Groups

Category: Informational - Amendment proposal to TLP 2.0

Date: 1st April 2023

Amendment proposal to TLP 2.0

The need for TLP:UNCLEAR

0. Rationale and description

“ELOQUENCE, n. The art of orally persuading fools that white is the color that it appears to be. It includes the gift of making any color appear white.”

  • Ambrose Bierce (excerpted from The Devils Dictionary)

Modern approaches to cybersecurity embrace data science, machine learning, and in general the statistical view of the world (or at least the bits on the internet). After all, it makes more sense, when measuring indicators of compromise at scale, to choose a stochastic approach. Therefore, measurements should always be given with a precisely specified indication of uncertainty.

It logically follows that the TLP standard1 should also embrace stochastics. In other words, cybersecurity is full of uncertainty which needs to be properly classified into a new taxonomy. And with the advent of ChatGPT, statements on truth become even more … stochastic.

We therefore humbly propose the introduction of TLP:UNCLEAR.

1. Overview

This amendment shall describe a new Traffic Light Protocol tag: TLP:UNCLEAR.

TLP:UNCLEAR MAY be used whenever the sender is not sure which TLP label would be appropriate. Recent epidemiological studies have demonstrated that the rate of TLP:UNCLEAR labelings was strongly correlated with the number of people reading the TLP-SIG mailing lists over an extended period of time. A second cohort of TLP:UNCLEAR labelers was identified at CIRCL.lu in Luxembourg after the introduction of TLP:CLEAR (the so-called “anarcho-undo-clear-labellers”).

Color code: when not looking at it, the real color was estimated to be **Schrödinger's Grey or Gray (itself an TLP:UNCLEAR spelling of an unclear color), **however active observers at FIRST conferences described it as dark blue on black background. See figure 1.

TLP:UNCLEAR name tag sticker at FIRST.org conferences.

Figure 1: TLP:UNCLEAR name tag sticker at FIRST conferences.

2. Motivation and use-cases

TLP:UNCLEAR label originally emerged in the anarcho-undo-clear-labellers fraction (“patient 0”). It was created in resistance to the renaming of TLP:WHITE to TLP:CLEAR. For this group the only logical undo function to the controversial TLP:CLEAR tag was to introduce TLP:UN-CLEAR2. However, soon it was noted that the introduction of TLP:UNCLEAR also had a couple of unexpected beneficial side-effects as well as alternative use-cases:

  • TLP:UNCLEAR helps with the introduction of more statistical methods such as “AI” and Deep Learning into the field of Cybersecurity. Without TLP:UNCLEAR, statistical statements on IoCs would not be possible (“is this IP address a C&C server or not?” -> TLP:UNCLEAR)
  • TLP:UNCLEAR becomes extremely practical when trying to describe the confusion of different levels of TLP:AMBER. Whenever there are uncertainties between TLP:AMBER, TLP:AMBER-strict, TLP:YELLOW (or whats the difference to amber? Is it traffic lights or not or what?), TLP:you-cant-tell-your-spouse-but-everyone-else, TLP:share-with-your-customers-but-not-your-boss, then, TLP:UNCLEAR can easily come to the rescue: by confusing the hell out of the recipient of an TLP:UNCLEAR message into a petrified state, no action will be taken on TLP:UNCLEAR messages, which is after all the intended outcome.
  • When your boss asks you for an assessment on the latest cyber breach on Friday evening and you just dont have an answer yet…its going to be labeled TLP:UNCLEAR
  • You just had a meeting about an incident, so many people had their own opinion about what can or cannot be shared. Until its settled or the next ransomware campaign leaks the meeting notes, TLP:UNCLEAR can be used.
  • If your software doing threat intelligence is buggy and running into an exception, TLP:UNCLEAR is used for all the output generated from an unknown state.
  • An incident responder finds some information in a drop-zone of a C2 server and doesnt know what to do with it, TLP:UNCLEAR can come to the rescue.
  • The cybercrime data came from the U.N., and is thus de facto TLP:UNCLEAR.
  • Is GPT5 going to become sentient? → TLP:UNCLEAR

3. TLP definitions update proposed

The following addendum is proposed to “FIRST Standards Definitions and Usage Guidance — Version 2.0”

Community: Under TLP, a community is a group who shares common goals, practices, and informal trust relationships. A community can be as broad as all cybersecurity practitioners in a country (or in a sector or region).

Organization: Under TLP, an organization is a group who share a common affiliation by formal membership and are bound by common policies set by the organization. An organization can be as broad as all members of an information sharing organization, but rarely broader. Crucially, an organization is defined by the ability to disorganize the information it seeks to share34.

Clients: Under TLP, clients are those people or entities that receive cybersecurity services from an organization. Clients are by default included in TLP:AMBER so that the recipients may share information further downstream in order for clients to take action to protect themselves. For teams with national responsibility this definition includes stakeholders and constituents.

E. TLP:UNCLEAR Community, Organization, Clients, and Recipients are all so confused what the appropriate disclosure level is, and if this or that indicator can or cannot be shared. Assumptions are rampant and the confusion is so high that a chi-square test might in fact be required to ensure the randomness of the mess before labelling this case TLP:UNCLEAR.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents5 in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. The section doesnt use TLP:UNCLEAR to make it clear for the copyleft statement. Ideally a copyleft rights the wrongs of a copyright, but not here.

5. Acknowledgements

This document is a collective work from the following persons in strictly undefined alphabetical order6:

  • Trey Darley
  • Alexandre Dulaunoy
  • Aaron Kaplan
  • Éireann Leverett
  • And many autoregressive language models were abused for the production of this document. They gave unclear answers of course….

6. Contribution

This document can be updated by opening an pull-request on https://github.com/adulau/tlp-unclear/.

Notes


  1. https://www.first.org/tlp/ - TRAFFIC LIGHT PROTOCOL (TLP) - FIRST Standards Definitions and Usage Guidance — Version 2.0 ↩︎

  2. One linguistic theory suggested that this stems from a grammar confusion between French and English at CIRCL. Like Serge Gainsbourg used to say - “Doit-on dire un noir ou un homme de couleur. Tout ceci n'est pas clair.” ↩︎

  3. The 45th footnote is TLP:UNCLEAR. ↩︎

  4. Where is the 45th footnote? ↩︎

  5. https://trustee.ietf.org/license-info ↩︎

  6. They are actually ranked in reverse footnote order. ↩︎