TLCTC

Top Level Cyber Threat Clusters

White Paper V1.6.3

"The Top Level Cyber Threat Clusters (TLCTC) framework serves as a "Rosetta Stone" connecting strategic planning to operational security through logically-derived, non-overlapping threat categories. This fills a critical gap in current standards while complementing existing risk management approaches."

Why?

Learn More

TLCTC: Delivering Value to Diverse Stakeholders

Strategic Leadership

  • Enhanced Strategic Decision-Making: CISOs and Executives gain a structured threat taxonomy for clearer risk prioritization and resource allocation.
  • Quantifiable Risk Management: Risk Managers can leverage TLCTC to integrate quantifiable metrics into FAIR or other risk models, improving risk assessments.
  • Improved Board-Level Communication: Boards receive a clear and concise framework for understanding cyber threats and overseeing cybersecurity strategy.
  • Stronger Cybersecurity Governance: Enables better alignment between strategic risk appetite and operational security execution, strengthening overall governance.

Security Operations & Technical Teams

  • Consistent Incident Classification: CSIRTs/CERTs gain a consistent and unambiguous taxonomy for classifying and responding to cyber incidents.
  • Enhanced MITRE Integration: MITRE ATT&CK and CWE users benefit from improved mapping and contextualization of techniques and weaknesses.
  • Streamlined Threat Intelligence Sharing (STIX): STIX users gain a standardized threat taxonomy for more effective threat intelligence exchange and analysis.
  • Precise Attack Path Analysis for SOCs: SOC analysts can leverage TLCTC for precise attack path analysis, improving threat detection and incident response.
  • Standardized Threat Intel Framework: Threat Intelligence teams benefit from a standardized analysis framework, enhancing the quality and actionability of threat intelligence.
  • Improved Vulnerability Prioritization (CVEs): CVE analysts can leverage TLCTC to add strategic context to vulnerability data, enabling better prioritization and remediation efforts.

Standards Bodies & Regulatory Agencies

  • Developing Clearer Threat Standards (NIST/ISO/CIS): Provides a robust foundation for NIST, ISO, CIS, and other standards bodies to develop clearer, more consistent threat standards.
  • Framework Harmonization (CISA/ENISA): Enables CISA, ENISA, and similar agencies to harmonize cybersecurity frameworks and improve interoperability.
  • Global Consistency for EU Agencies: Facilitates consistent threat understanding and reporting across EU agencies and member states, supporting EU-wide cybersecurity initiatives.
  • Enhanced National & International Coordination: Empowers national cyber security centers (NCSCs) and international bodies to coordinate threat intelligence sharing and incident response more effectively.

Key Concept Components

TLCTC Definitions

TLCTC Definitions

We need a common language

  • Axioms (check white paper)
  • The Thought Experiment
  • Definitions and Clarifications
  • Definitions (incl. JSON)
  • Glossary
  • Enumeration and Notation Enhancement V2.0

Concept Applicability

Scope of Software and Hardware

  • at Interface Level (API)
  • at Function Call Level
  • Vertical Stack Application

Bridging Strategy and Operations

A Comprehensive TwoTiered Approach

Cyber Bow-Tie Generic
  • Strategic Management Layer
  • Operational Layer
  • CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk

Cyber Bow-Tie

Beside Attack Paths we talk about Event Chains

Cyber Bow-Tie Generic
  • Basic Bow-Tie
  • Cyber Bow-Tie - Alternative Visualization (V2)
  • More Definitions
  • A CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk

Framework Integration

CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk

CSF Wheel

NIST CSF

Integration with NIST Cybersecurity Framework functions

  • Identify function mapping
  • Protect controls alignment
  • Detect capabilities integration
  • NIST CSF Integration with TLCTC Framework

SSDLC

Secure Software Development Lifecycle

  • Phase-Specific Integration
  • Integration with NIST CSF Functions
  • Secure Coding Practices
  • Secure Software Development: Distinguishing Between Coding and Programming
  • Enhancing SonarQube with the TLCTC Framework and CWE
  • Integrating TLCTC with NIST SP 800-218 (SSDF)
  • Example Integrating TLCTC with PASTA in the SDLC
  • Example Integrating TLCTC with IEC 62443
MITRE Logo

MITRE ATT&CK

Enhanced tactical security operations through TLCTC categorization

  • Technique mapping (T1234) (Enterprise INITIAL)
  • CWE alignment
  • Attack pattern categorization
  • MITRE Atlas AI - Mapping Adversarial ML (AML) Techniques
  • MITRE ATT&CK and STIX Integration with TLCTC

STIX/TAXII

Standardized threat intelligence sharing

  • STIX object integration
  • Threat pattern mapping
  • Intelligence sharing enhancement
  • Enhancing STIX with TLCTC Framework

NVD CVE

Enhancing CVE Details

  • A Strategic Extension for Attack Vector Representation
  • Structural Proposal
  • Assessment of the Extended CVE JSON Proposal
  • Enhancing CVE Details with the TLCTC Framework

Vulnerability Mapping

TLCTC cluster alignment

  • Root cause analysis
  • Generic vulnerability mapping
  • Impact classification
  • Enhancing SonarQube with the TLCTC Framework and CWE
  • Specific CVE Analysis and TLCTC Enhancement Proposal

CVE 2 TLCTC Mapper

Custom My GPT

  • Check a CVE
  • Attack vector analysis
  • TLCTC Mapping
  • [CVE 2 TLCTC Mapper and Analyzer]

Call to Act

MITRE & STIX

  • Mitre & STIX
  • Proposed Enhancements
  • Implementation Approach

Tools

CISO's Guide to Distinguishing Cyber Risk from IT and Operational Risk

Cyber Threat Radars

Holistic Views on every Level

  • Your View as Organization - My Org, My Customers, My 3rd Parties
  • State Level View - Sector analysis, ross-sector coordination
  • Cyber Threat Radar Example for an Organization

  • Try The TLCTC Radar App

Actor Profiles

Know Your Enemy

  • Major breach analysis
  • Pattern recognition
  • Attacker Profiles
e.g. "Scattered Spider"
  • Analysis of Threat Actors: CrowdStrike 2024 Report Mapped to TLCTC Framework
  • Cobalt Strike - TLCTC Mapping Table
  • Try TLCTC Cyber Threat Actor Profile Designer

Attack Path Notation

  • #9 -> #4 ... TLCTC-09.00 -> TLCTC-04.00
  • MFA Bombing Example
  • Part of common language
  • Enumeration and Notation Enhancement V2.0
Emotet Example

Standardized sequence representation

Complex Scenarios

Multi-stage attack analysis

  • Foundation of Defense in Depth
  • Lateral movement patterns
  • Attack chain analysis

Critics

Critical TLCTC Analysis

The "Why Ten?" Question

  • Framework remains open to evolution
  • Call To Act: Challenges NIST and MITRE
  • Provides complete coverage by design
  • Learn more about the rationale

Cluster Refinement

Analysis of Cluster Maturity

  • Established clusters with strong validation
  • Emerging clusters requiring further analysis
  • Open for community discussion and input

Framework Analysis

Comparative Review of Standards regarding Cyber Threat Taxonomy

  • Security Standards: NIST, ISO, CIS, BSI
  • Threat Models: MITRE, STRIDE, OWASP
  • Emerging Standards & Regional Frameworks
  • Complementary Frameworks: Enhancing The Threat Modeling Manifesto
  • Beyond STRIDE:
  • CRF-TT:
  • OCTAVE:
  • PASTA:
  • ISO/SAE 21434:
  • LINDDUN:
  • FAIR:

Regulatory Analysis

Critical Reflects on

  • NIS 2 DIRECTIVE (EU) 2022/2555: Definitions, Scope, Improvement
  • DORA (Digital Operational Resilience Act - Regulation (EU) 2022/2554)
  • DORA RTS TLTP - Draft Regulatory Technical Standards...
  • Regulation (EU) 2019/881 (CSA) & Regulation (EU) 2024/... (CRA)
  • ETSI TR 103 331 V2.1.1 (2022-12) - Structured threat information sharing

TLCTC BLOG

Work in Progress: This page is being updated. For definitive information, please consult the White Paper V1.6.3 [PDF Link].

Discuss or ask questions about TLCTC? Try the [TLCTC Explainer GPT]

Operational with TLCTC? Try the [CVE 2 TLCTC Mapper and Analyzer GPT]

Legend:

white-paper-section - TLCTC Blog for a deep dive: - External Contributor: - Incl. json: - Incl. java: