TLCTC

Top Level Cyber Threat Clusters

White Paper V1.6.3

Download White Paper (PDF) White Paper (HTML Navigator) Executive Briefing (Summary) TLCTC Framework vs. Existing Standards & Regulations: A Core Feature Comparison

"The Top Level Cyber Threat Clusters (TLCTC) framework serves as a "Rosetta Stone" connecting strategic planning to operational security through logically-derived, non-overlapping threat categories. This fills a critical gap in current standards while complementing existing risk management approaches."

Why?

Learn More

The Top Level Cyber Threat Clusters

These 10 clusters form the complete, high-level foundation for understanding *how* adversaries operate. Click to explore.

#1

Abuse of Functions

Misusing legitimate features/logic.
#2

Exploiting Server

Leveraging server-side code flaws.
#3

Exploiting Client

Leveraging client-side code flaws.
#4

Identity Theft

Compromising credentials/auth.
#5

Man in the Middle

Intercepting communications.
#6

Flooding Attack

Overwhelming capacity/resources.
#7

Malware

Executing foreign malicious code.
#8

Physical Attack

Unauthorized physical interaction.
#9

Social Engineering

Manipulating individuals.
#10

Supply Chain Attack

Compromising third-party elements.

TLCTC: Delivering Value to Diverse Stakeholders

Strategic Leadership

  • Enhanced Strategic Decision-Making: CISOs and Executives gain a structured threat taxonomy for clearer risk prioritization and resource allocation.
  • Quantifiable Risk Management: Risk Managers can leverage TLCTC to integrate quantifiable metrics into FAIR or other risk models, improving risk assessments.
  • Improved Board-Level Communication: Boards receive a clear and concise framework for understanding cyber threats and overseeing cybersecurity strategy.
  • Stronger Cybersecurity Governance: Enables better alignment between strategic risk appetite and operational security execution, strengthening overall governance.

Security Operations & Technical Teams

  • Consistent Incident Classification: CSIRTs/CERTs gain a consistent and unambiguous taxonomy for classifying and responding to cyber incidents.
  • Enhanced MITRE Integration: MITRE ATT&CK and CWE users benefit from improved mapping and contextualization of techniques and weaknesses.
  • Streamlined Threat Intelligence Sharing (STIX): STIX users gain a standardized threat taxonomy for more effective threat intelligence exchange and analysis.
  • Precise Attack Path Analysis for SOCs: SOC analysts can leverage TLCTC for precise attack path analysis, improving threat detection and incident response.
  • Standardized Threat Intel Framework: Threat Intelligence teams benefit from a standardized analysis framework, enhancing the quality and actionability of threat intelligence.
  • Improved Vulnerability Prioritization (CVEs): CVE analysts can leverage TLCTC to add strategic context to vulnerability data, enabling better prioritization and remediation efforts.

Standards Bodies & Regulatory Agencies

  • Developing Clearer Threat Standards (NIST/ISO/CIS): Provides a robust foundation for NIST, ISO, CIS, and other standards bodies to develop clearer, more consistent threat standards.
  • Framework Harmonization (CISA/ENISA): Enables CISA, ENISA, and similar agencies to harmonize cybersecurity frameworks and improve interoperability.
  • Global Consistency for EU Agencies: Facilitates consistent threat understanding and reporting across EU agencies and member states, supporting EU-wide cybersecurity initiatives.
  • Enhanced National & International Coordination: Empowers national cyber security centers (NCSCs) and international bodies to coordinate threat intelligence sharing and incident response more effectively.

Key Concept Components

TLCTC Definitions

TLCTC Definitions

We need a common language

  • Axioms (check white paper)
  • The Thought Experiment
  • Definitions and Clarifications
  • Definitions (incl. JSON)
  • Glossary
  • Enumeration and Notation Enhancement V2.0
  • Jump to White Paper Section

Concept Applicability

Scope of Software and Hardware

  • at Interface Level (API)
  • at Function Call Level
  • Vertical Stack Application
  • Jump to White Paper Section

Bridging Strategy and Operations

A Comprehensive TwoTiered Approach

Cyber Bow-Tie Generic
  • Strategic Management Layer
  • Operational Layer
  • CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk
  • Jump to White Paper Section

Cyber Bow-Tie

Beside Attack Paths we talk about Event Chains

Cyber Bow-Tie Generic
  • Basic Bow-Tie
  • Cyber Bow-Tie - Alternative Visualization (V2)
  • More Definitions
  • A CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk
  • Jump to White Paper Section

Framework Integration

CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk

CSF Wheel

NIST CSF

Integration with NIST Cybersecurity Framework functions

  • Identify function mapping
  • Protect controls alignment
  • Detect capabilities integration
  • NIST CSF Integration with TLCTC Framework
  • Jump to White Paper Section

SSDLC

Secure Software Development Lifecycle

  • Phase-Specific Integration
  • Integration with NIST CSF Functions
  • Secure Coding Practices
  • Secure Software Development: Distinguishing Between Coding and Programming
  • Enhancing SonarQube with the TLCTC Framework and CWE
  • Integrating TLCTC with NIST SP 800-218 (SSDF)
  • Example Integrating TLCTC with PASTA in the SDLC
  • Example Integrating TLCTC with IEC 62443
  • Jump to White Paper Section
MITRE Logo

MITRE ATT&CK

Enhanced tactical security operations through TLCTC categorization

  • Technique mapping (T1234) (Enterprise INITIAL)
  • CWE alignment
  • Attack pattern categorization
  • MITRE Atlas AI - Mapping Adversarial ML (AML) Techniques
  • MITRE ATT&CK and STIX Integration with TLCTC

STIX/TAXII

Standardized threat intelligence sharing

  • STIX object integration
  • Threat pattern mapping
  • Intelligence sharing enhancement
  • Enhancing STIX with TLCTC Framework

NVD CVE

Enhancing CVE Details

  • A Strategic Extension for Attack Vector Representation
  • Structural Proposal
  • Assessment of the Extended CVE JSON Proposal
  • Enhancing CVE Details with the TLCTC Framework

Vulnerability Mapping

TLCTC cluster alignment

  • Root cause analysis
  • Generic vulnerability mapping
  • Impact classification
  • Jump to White Paper Section
  • Enhancing SonarQube with the TLCTC Framework and CWE
  • Specific CVE Analysis and TLCTC Enhancement Proposal

CVE 2 TLCTC Mapper

Custom My GPT

  • Check a CVE
  • Attack vector analysis
  • TLCTC Mapping
  • [CVE 2 TLCTC Mapper and Analyzer]

Call to Act

MITRE & STIX

  • Mitre & STIX
  • Proposed Enhancements
  • Implementation Approach
  • Jump to White Paper Section

Tools

CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk

Cyber Threat Radars

Holistic Views on every Level

  • Your View as Organization - My Org, My Customers, My 3rd Parties
  • State Level View - Sector analysis, ross-sector coordination
    • Cyber Threat Radar Example for an Organization

  • Try The TLCTC Radar App
  • Jump to White Paper Section

Actor Profiles

Know Your Enemy

  • Major breach analysis
  • Pattern recognition
  • Attacker Profiles
e.g. "Scattered Spider"
  • Analysis of Threat Actors: CrowdStrike 2024 Report Mapped to TLCTC Framework
  • Cobalt Strike - TLCTC Mapping Table
  • Try TLCTC Cyber Threat Actor Profile Designer
  • Jump to White Paper Section

Attack Path Notation

  • #9 -> #4 ... TLCTC-09.00 -> TLCTC-04.00
  • MFA Bombing Example
  • Part of common language
  • Enumeration and Notation Enhancement V2.0
  • Jump to White Paper Section
Emotet Example

Standardized sequence representation

Complex Scenarios

Multi-stage attack analysis

  • Foundation of Defense in Depth
  • Lateral movement patterns
  • Attack chain analysis
  • Jump to White Paper Section

Critics

Critical TLCTC Analysis

The "Why Ten?" Question

  • Framework remains open to evolution
  • Call To Act: Challenges NIST and MITRE
  • Provides complete coverage by design
  • Learn more about the rationale

Cluster Refinement

Analysis of Cluster Maturity

  • Established clusters with strong validation
  • Emerging clusters requiring further analysis
  • Open for community discussion and input
  • Jump to White Paper Section

Framework Analysis

Comparative Review of Standards regarding Cyber Threat Taxonomy

  • Security Standards: NIST, ISO, CIS, BSI
  • Threat Models: MITRE, STRIDE, OWASP
  • Emerging Standards & Regional Frameworks
  • Jump to White Paper Section
  • Complementary Frameworks: Enhancing The Threat Modeling Manifesto
  • Beyond STRIDE:
  • CRF-TT:
  • OCTAVE:
  • PASTA:
  • ISO/SAE 21434:
  • LINDDUN:
  • FAIR:

Regulatory Analysis

Critical Reflects on

  • NIS 2 DIRECTIVE (EU) 2022/2555: Definitions, Scope, Improvement
  • DORA (Digital Operational Resilience Act - Regulation (EU) 2022/2554)
  • DORA RTS TLTP - Draft Regulatory Technical Standards...
  • Regulation (EU) 2019/881 (CSA) & Regulation (EU) 2024/... (CRA)
  • ETSI TR 103 331 V2.1.1 (2022-12) - Structured threat information sharing

TLCTC BLOG

« Older Posts

Work in Progress: This page is being updated. For definitive information, please consult the White Paper V1.6.3 [PDF Link].

Discuss or ask questions about TLCTC? Try the [TLCTC Explainer GPT]

Operational with TLCTC? Try the [CVE 2 TLCTC Mapper and Analyzer GPT]

Legend:

white-paper-section - TLCTC Blog for a deep dive: - External Contributor: - Incl. json: - Incl. java: