TLCTC Blog - 2025/10/01

CKC × ATT&CK × TLCTC

Timeline × Techniques × Causes — a practical synthesis for modern defenders

Date: 2025/10/01 | Frameworks: CKC, MITRE ATT&CK, TLCTC

TL;DR

TLCTC is the core: it’s the only one of the three that provides a cause‑oriented threat taxonomy, a standard attack‑path notation (e.g., #9 → #3 → #7 → (#1 + #7)), and seamless integration into NIST CSF for governance and metrics.

Cyber Kill Chain (CKC) tells you when (phase timeline across campaigns).

MITRE ATT&CK tells you how (tactics/techniques beneath each step).

Use CKC × ATT&CK as overlays on the TLCTC core so every step is anchored to the generic vulnerability being abused (#1–#10) and rolls up cleanly to CSF.

Core idea: Keep CKC’s timeline and ATT&CK’s techniques, but drive with TLCTC’s causes. You’ll get an unambiguous attack path plus a CSF‑ready control view.

Why three frameworks together?

Most teams either narrate incidents strictly as a timeline (CKC) or catalog techniques (ATT&CK). Both are useful—but neither answers the question “Which generic vulnerability did the adversary abuse here?” That’s the gap TLCTC closes.

  • CKC: campaign phases (Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions).
  • ATT&CK: adversary tactics (Initial Access, Execution, Persistence, etc.) and specific techniques.
  • TLCTC: ten cause‑oriented clusters (#1–#10) that are non‑overlapping and map every step to the underlying generic vulnerability being abused.

TLCTC in 60 seconds

A two-layer view:

  1. Strategic Management Layer → the 10 top‑level clusters (causes).
  2. Operational Security Layer → the granular TTPs, CVEs, and playbooks that instantiate those causes.

The 10 Top Level Cyber Threat Clusters:

  • #1 Abuse of Functions – misusing legitimate capabilities/APIs.
  • #2 Exploiting Server – abusing a flaw in server‑side code.
  • #3 Exploiting Client – abusing a flaw in client‑side code.
  • #4 Identity Theft – acquiring/using credentials, tokens, keys.
  • #5 Man‑in‑the‑Middle (MitM) – abusing position on the path.
  • #6 Flooding Attack – exhausting capacity/quotas.
  • #7 Malware – executing foreign code/content (incl. LOLBAS as code execution context).
  • #8 Physical Attack – abusing physical access/interaction.
  • #9 Social Engineering – manipulating people.
  • #10 Supply Chain Attack – abusing trusted third‑party components/updates.

Axiom reminder: TLCTC is cause‑oriented. Outcomes (e.g., “data loss,” “RCE,” “DoS”) are effects—not threats.

The Tri‑Layer Mental Model

When (CKC) × How (ATT&CK) × Why (TLCTC)

Phase (CKC):Delivery → Exploitation → Installation → C2 → Actions
ATT&CK tactic:Initial Access → Execution/Privilege Esc./Persistence → Command & Control → Impact/Collection/Exfil
TLCTC cause tag:#9/#8/#1/#10#2/#3/#1/#7#1 or #7#1/#5/#7#4/#1/#6/#7
  • CKC anchors the sequence.
  • ATT&CK adds technique detail.
  • TLCTC locks down the cause, so controls and metrics line up to what the attacker actually abused.

Why TLCTC Should Be the Core

  • Cause‑oriented and non‑overlapping. TLCTC labels the generic vulnerability exploited at each step (no mixing of causes with outcomes).
  • Standard attack‑path notation. Compact strings and parentheses for parallelism make incidents comparable and briefable.
  • NIST CSF integration. Direct roll‑up into a 10 × (5 × 2) view (10 clusters × CSF Functions × {Local, Umbrella}).
  • Rosetta Stone for other models. ATT&CK techniques and CKC phases slot under the correct TLCTC cluster, avoiding ambiguity.
  • Metrics that matter. Coverage, latency, and residual risk tracked per cluster – not per tool.

Quick Alignment Cheatsheet

CKC Phase Typical ATT&CK Tactic(s) Common TLCTC Cluster(s) (Cause)
Recon Reconnaissance #1 (using legit search/APIs), #5 (passive path vantage)
Weaponization Resource Development #1 (abuse of build/packaging infra), #7 (malware creation)
Delivery Initial Access #9 (phish), #8 (removable media), #3 (drive‑by), #2 (public‑facing app), #1 (external remote services), #10 (trusted relationship)
Exploitation Execution / PrivEsc #2 (server exploit), #3 (client exploit), #1 (living‑off‑the‑land), #7 (user‑executed code)
Installation Persistence / Execution #1 (abuse of functions) or #7 (malware)—sometimes both
Command & Control Command and Control #1 (legit cloud/SaaS channels), #7 (beacons/implants), #5 (on‑path manipulation)
Actions on Objectives Collection / Exfiltration / Impact / Lateral Movement #4 (credential theft/use), #1 (AD/API abuse), #6 (flooding), #7 (payloads)

Note: The exact tag depends on the cause at that step. E.g., “Installation” is #1 if persistence is via scheduled tasks/MDM/EDR deploy; #7 if a loader implants foreign code.

Expressing an Attack Path (Standard Notation)

Use TLCTC’s compact sequence to describe the cause chain:

Email → macro → credential theft → domain abuse → encryptors
#9 → #7 → #4 → (#1 + #7)

Stolen cloud key → abuse of APIs for fleet‑wide scripts → data exfil
#4 → #1 → #1 (first #1 = execution via legit APIs; second #1 = bulk data pull via allowed endpoints)

Build‑system compromise → trojaned update → downstream tenants
#10 → #7 → #1 (supply chain entry, foreign code executes in update flow, then abuse of deployment functions)

Parentheses denote parallel causes. Repeat clusters if the same cause appears at separate steps.

Mini Case Studies

1) Phishing‑led ransomware

  • CKC: Delivery → Exploitation → Installation → C2 → Actions
  • ATT&CK: Initial Access (phish), Execution (macro), Persistence/Execution (schtasks), C2 (HTTPS), Impact (encrypt)
  • TLCTC path: #9 → #7 → #1 → (#1 + #7)
  • Why: macro runs (foreign code = #7), then persistence via scheduled task (legit function = #1); final stage deploys encryptor (#7) while abusing AD/GPO for spread (#1).

2) Cloud lateral movement without new malware

  • CKC: Delivery/Initial Access → Actions
  • ATT&CK: Initial Access (valid accounts) → Discovery/Collection/Exfiltration
  • TLCTC path: #4 → #1 → #1
  • Why: keys are used (identity theft = #4); attacker invokes native cloud APIs to enumerate, snapshot, exfil (abuse of functions = #1).

3) Supply‑chain update poisoning

  • CKC: Weaponization → Delivery → Installation → Actions
  • ATT&CK: Resource Development (compromise toolchain), Initial Access (supply chain), Execution (signed binary proxy), Impact
  • TLCTC path: #10 → #7 → #1
  • Why: third‑party trust is abused (#10), code executes as part of update (#7), and enterprise deployment tooling is misused to laterally push changes (#1).

How to Run a CKC × ATT&CK × TLCTC Tabletop

  1. Narrate the CKC timeline from recon to impact.
  2. Attach ATT&CK tactics/techniques to each step for operational clarity.
  3. Tag each step with exactly one primary TLCTC cluster (the cause). Use parentheses for parallel causes.
  4. Write the attack‑path string (e.g., #9 → #7 → #4 → (#1 + #7)).
  5. Map controls to the clusters in your 10×(5×2) scorecard; identify gaps and define success metrics per cluster.
Make TLCTC your core (causes, notation, CSF roll‑up). Then overlay CKC for the storyline and ATT&CK for the play‑by‑play. The payoff is a crisp, auditable attack path and a CSF‑aligned scorecard that execs, engineers, and responders can all use.

Why STRIDE is obsolete here

STRIDE mixes causes (e.g., spoofing) with effects (e.g., information disclosure, DoS) and techniques, which creates ambiguity in control design and reporting. TLCTC resolves this by fully replacing STRIDE’s role: the 10 Threat Clusters capture the cause side (generic vulnerabilities being abused), while Data Risk Events and Business Risk Events capture the effect side in the Bow‑Tie view. This clean separation removes overlap, enables the standard attack‑path notation for concise sequencing, and plugs directly into NIST CSF dashboards without translation layers—making STRIDE redundant in this CKC × ATT&CK × TLCTC synthesis.