Networkforensic

Threat hunting

CERT / CSIRT Teams
 https://www.trusted-introducer.org/

FIRST is the global Forum of Incident Response and Security Teams
 https://www.first.org/

 

European Government CERTs (EGC) group
 https://www.egc-group.org/

The European Union Agency for Network and Information
 https://www.enisa.europa.eu/


Traffic light Protocol 2.0

TLP:RED
For the eyes and ears of individual recipients only, no further disclosure.

Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.

TLP:AMBER
Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.

Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT.

TLP:GREEN
Limited disclosure, recipients can spread this within their community.

Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community

TLP:WHITE
Recipients can spread this to the world, there is no limit on disclosure.

Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction