TLCTC Logo small
TLCTC Framework V2.0
Updated for V2.0

Enhancing STIX with
TLCTC V2.0

A comprehensive integration guide featuring Attack Velocity, Domain Boundaries, and the standardized JSON architecture for threat intelligence sharing.

BK
Bernhard Kreinz

The Integration Challenge

Fragmented threat intelligence fails to connect strategic risk management with operational security. While MITRE ATT&CK and STIX enable detailed sharing, they lack a standardized high-level taxonomy that answers: "What generic vulnerability was exploited?" — the question that bridges threat intelligence with actionable defense.

What's New in V2.0

TLCTC V2.0 introduces three major enhancements that transform how we document, share, and analyze attack intelligence:

Attack Velocity (Δt)

Temporal dimension measuring defender response windows between attack steps.

Domain Boundaries

Explicit marking of responsibility sphere transitions in attack paths.

JSON Architecture

Four-file structure enabling machine-readable threat intelligence exchange.

V2.0 Notation System

TLCTC employs two complementary notation systems that map bi-directionally:

Layer Format Example Use Case
Strategic #X #9 → #7 → #4 Executive comms, risk boards
Operational TLCTC-XX.YY TLCTC-09.00 → TLCTC-07.00 SIEM rules, automation, APIs

Attack Path Operators

Operator Syntax Meaning
Sequence or -> Sequential attack steps
Parallel (#X + #Y) Simultaneous/coordinated actions
Velocity →[Δt=2h] Time between steps
Domain Boundary ||[ctx][@Src→@Tgt]|| Responsibility sphere transition
DRE Tag + [DRE: C, I, A] Data Risk Event (outcome)

Key Principle: DRE tags record outcomes (Confidentiality, Integrity, Availability impacts) but do not change cluster classification. TLCTC classifies causes, not consequences.

Attack Velocity Classes

V2.0 introduces four operational velocity classes that describe the defender's feasible response mode based on the time available between attack steps:

VC-1 Strategic

Days → Months

Log retention, threat hunting, strategic monitoring

VC-2 Tactical

Hours

SIEM alerting, analyst triage, guided response

VC-3 Operational

Minutes

SOAR/EDR automation, rapid containment, playbooks

VC-4 Real-Time

Seconds → Milliseconds

Architecture hardening, circuit breakers, rate limits

Cluster Topology

TLCTC V2.0 classifies clusters by their topological role in attack paths:

# Cluster Name Topology Generic Vulnerability
#1 Abuse of Functions Internal Functional scope/trust
#2 Exploiting Server Internal Server-side implementation flaws
#3 Exploiting Client Internal Client-side implementation flaws
#4 Identity Theft Internal Identity-artifact binding
#5 Man in the Middle Internal Lack of E2E protection
#6 Flooding Attack Internal Finite capacity limitations
#7 Malware Internal Designed execution capability
#8 Physical Attack Bridge Physical accessibility
#9 Social Engineering Bridge Human psychological factors
#10 Supply Chain Attack Bridge Third-party trust dependencies

Bridge Clusters (#8, #9, #10) inherently enable attacks to cross domain boundaries — transitioning from one responsibility sphere to another. The domain boundary operator ||[context][@Source→@Target]|| SHOULD accompany bridge cluster steps.

Proposed STIX Enhancements

The following custom STIX objects extend the 2.1 specification to incorporate TLCTC V2.0 concepts:

x-threat-cluster Object

Represents a TLCTC threat cluster with its generic vulnerability and topology classification:

x-threat-cluster.json 
{
  "type": "x-threat-cluster",
  "spec_version": "2.1",
  "id": "x-threat-cluster--a1b2c3d4-...",
  "name": "Social Engineering",
  "x_tlctc_id": "TLCTC-09.00",
  "x_tlctc_strategic": "#9",
  "description": "Attacks exploiting human psychological factors...",
  "x_generic_vulnerability": "Human psychological factors",
  "x_topology": "bridge",
  "x_typical_domain_boundaries": ["@External→@Org", "@HR→@Org"],
  "x_framework_version": "2.0"
}

x-attack-sequence Object (V2.0)

Documents complete attack paths with velocity annotations, domain boundaries, and DRE tags:

x-attack-sequence-v2.json 
{
  "type": "x-attack-sequence",
  "spec_version": "2.1",
  "id": "x-attack-sequence--e5f6g7h8-...",
  "name": "Phishing to Credential Abuse Chain",
  "x_framework_version": "2.0",
  "x_sequence_notation": "#9 →[Δt=2h] #7 →[Δt=15m] #4 →[Δt=5m] #1",
  "x_dominant_velocity_class": "VC-3",
  "attack_steps": [
    {
      "step_number": 1,
      "x_tlctc_id": "TLCTC-09.00",
      "x_tlctc_strategic": "#9",
      "stage": "initial",
      "x_responsibility_sphere": "@External",
      "x_domain_boundary": {
        "context": "email",
        "source": "@External",
        "target": "@Org"
      },
      "mitre_techniques": ["T1566.001"],
      "description": "Spear-phishing email with malicious attachment"
    },
    {
      "step_number": 2,
      "x_tlctc_id": "TLCTC-07.00",
      "x_tlctc_strategic": "#7",
      "stage": "intermediate",
      "x_responsibility_sphere": "@Org",
      "x_delta_t": {
        "value": 2,
        "unit": "h",
        "velocity_class": "VC-2"
      },
      "mitre_techniques": ["T1204.002"],
      "description": "User executes malicious macro"
    },
    {
      "step_number": 3,
      "x_tlctc_id": "TLCTC-04.00",
      "x_tlctc_strategic": "#4",
      "stage": "intermediate",
      "x_responsibility_sphere": "@Org",
      "x_delta_t": {
        "value": 15,
        "unit": "m",
        "velocity_class": "VC-3"
      },
      "mitre_techniques": ["T1003"],
      "description": "Credential harvesting via Mimikatz"
    },
    {
      "step_number": 4,
      "x_tlctc_id": "TLCTC-01.00",
      "x_tlctc_strategic": "#1",
      "stage": "final",
      "x_responsibility_sphere": "@Org",
      "x_delta_t": {
        "value": 5,
        "unit": "m",
        "velocity_class": "VC-3"
      },
      "x_dre_tags": ["C", "I"],
      "mitre_techniques": ["T1078"],
      "description": "Lateral movement using stolen credentials"
    }
  ]
}

Four-File JSON Architecture

TLCTC V2.0 standardizes threat intelligence sharing through a layered file architecture:

┌─ FRAMEWORK LAYER (Universal / Stable)
tlctc-framework.json — Core cluster definitions
tlctc-responsibility-spheres.json — Domain boundaries
tlctc-attack-sequence-schema.json — Validation schema
└─ INTELLIGENCE LAYER (Dynamic / Per-Incident)
[incident-id]-attack-path.json — Specific attack instance

Real-World Case Study: Emotet Campaign

The Emotet banking trojan campaign demonstrates a sophisticated multi-stage attack path. Here's how V2.0 notation captures both structure and timing:

V2.0 Attack Path Notation:
#9 ||[email][@External→@Org]|| →[Δt=hours] #7 →[Δt=minutes] #7 →[Δt=days] #4 →[Δt=minutes] (#1 + #7) + [DRE: C, I, A]
emotet-attack-path.json 
{
  "metadata": {
    "sequence_id": "EMOTET-2024-001",
    "attack_title": "Emotet Initial Access to Domain Compromise",
    "framework_version": "2.0",
    "created": "2024-03-15T10:00:00Z",
    "analyst": "SOC Team Alpha"
  },
  "x_sequence_notation": "#9 →[Δt=hours] #7 →[Δt=minutes] #7 →[Δt=days] #4 →[Δt=minutes] (#1 + #7)",
  "x_dominant_velocity_class": "VC-2",
  "attack_steps": [
    {
      "step_number": 1,
      "tlctc_cluster": {
        "strategic": "#9",
        "operational": "TLCTC-09.00"
      },
      "stage": "initial",
      "responsibility_sphere": "@External",
      "domain_boundary": {
        "context": "email",
        "source": "@External",
        "target": "@Org"
      },
      "description": "Phishing email with malicious Word document"
    },
    {
      "step_number": 2,
      "tlctc_cluster": {
        "strategic": "#7",
        "operational": "TLCTC-07.00"
      },
      "stage": "intermediate",
      "responsibility_sphere": "@Org",
      "delta_t": {
        "value": "hours",
        "velocity_class": "VC-2"
      },
      "software": [
        { "name": "Microsoft Word", "role": "exploit-delivery" }
      ],
      "mitre_techniques": ["T1204.002"],
      "description": "Macro execution drops Emotet loader"
    },
    {
      "step_number": 3,
      "tlctc_cluster": {
        "strategic": "#7",
        "operational": "TLCTC-07.00"
      },
      "stage": "intermediate",
      "responsibility_sphere": "@Org",
      "delta_t": {
        "value": "minutes",
        "velocity_class": "VC-3"
      },
      "software": [
        { "name": "Emotet", "role": "malware" }
      ],
      "mitre_techniques": ["T1055"],
      "description": "Secondary payload injection"
    },
    {
      "step_number": 4,
      "tlctc_cluster": {
        "strategic": "#4",
        "operational": "TLCTC-04.00"
      },
      "stage": "intermediate",
      "responsibility_sphere": "@Org",
      "delta_t": {
        "value": "days",
        "velocity_class": "VC-1"
      },
      "software": [
        { "name": "Mimikatz", "role": "attack-tool" }
      ],
      "mitre_techniques": ["T1003.001"],
      "description": "Credential harvesting via LSASS dump"
    },
    {
      "step_number": 5,
      "tlctc_cluster": {
        "strategic": "(#1 + #7)",
        "operational": ["TLCTC-01.00", "TLCTC-07.00"]
      },
      "stage": "final",
      "responsibility_sphere": "@Org",
      "delta_t": {
        "value": "minutes",
        "velocity_class": "VC-3"
      },
      "parallel_execution": true,
      "dre_tags": ["C", "I", "A"],
      "mitre_techniques": ["T1078", "T1486"],
      "description": "Lateral movement + ransomware deployment"
    }
  ],
  "business_impacts": [
    {
      "impact_id": "IMP-001",
      "category": "operational",
      "description": "72-hour business disruption",
      "linked_steps": [5]
    },
    {
      "impact_id": "IMP-002", 
      "category": "financial",
      "description": "Ransom demand + recovery costs",
      "linked_steps": [5]
    }
  ]
}

Attack Timeline Analysis

The velocity annotations reveal critical defender windows:

Transition Δt Velocity Class Defender Action
#9 → #7 hours VC-2 Email filtering, user awareness
#7 → #7 minutes VC-3 EDR detection, process isolation
#7 → #4 days VC-1 Threat hunting, credential rotation
#4 → (#1+#7) minutes VC-3 SOAR playbooks, network segmentation

Operational Insight: The #7 → #4 transition shows a VC-1 (Strategic) window of days — this is where defenders have the most time to detect and respond. Threat hunting programs should prioritize detecting credential harvesting before lateral movement begins.

Integration Benefits

Combining TLCTC V2.0 with STIX and MITRE ATT&CK enables organizations to:

  • Velocity-Aware Detection: Map SIEM rules to velocity classes, ensuring automation matches attacker speed
  • Domain Boundary Analysis: Identify control gaps at responsibility sphere transitions (vendor, cloud, physical)
  • Strategic Communication: Use #X notation for board reports while TLCTC-XX.YY drives SOC automation
  • Pattern Recognition: Aggregate attack paths across incidents to identify sector-specific threat patterns
  • Control Prioritization: Align security investments with the most impactful clusters and transitions

Getting Started

To integrate TLCTC V2.0 into your threat intelligence workflow:

  1. Download the framework JSON files from tlctc.net
  2. Map existing MITRE ATT&CK techniques to TLCTC clusters using the mapping table
  3. Create custom STIX objects using the schemas above
  4. Annotate incident timelines with velocity data to derive Δt values
  5. Validate attack paths against tlctc-attack-sequence-schema.json

Conclusion

TLCTC V2.0's integration with STIX transforms threat intelligence from a documentation exercise into an operational tool. Attack Velocity provides the temporal dimension defenders need to calibrate their response capabilities. Domain Boundary Operators make responsibility handoffs explicit. The standardized JSON architecture enables machine-readable exchange across organizational boundaries.

The result: a unified language where strategic risk managers and SOC analysts can finally speak the same threat taxonomy — grounded in causes, not outcomes.

© 2025 TLCTC.net — Licensed under CC BY 4.0

Download V2.0 Whitepaper