TLCTC Blog - 2025/02/21
Comparing TLCTC and CRF Threat Taxonomy Frameworks
A comparison of two threat taxonomies: The "Top Level Cyber Threat Clusters (TLCTC)" and the Cybersecurity Risk Foundation's "CRF - Threat Taxonomy (TT) 2024". These frameworks are analyzed for consistency and completeness, considering their stated goals and methodologies.
The Top Level Cyber Threat Clusters (TLCTC)
Reference: TLCTC (2025/04/18) - Top Level Cyber Threat Clusters
Goal
To create a universal, consistent taxonomy that bridges strategic risk management and operational security. It aims to be pragmatic and applicable across diverse IT systems and contexts. It explicitly separates threats from threat actors, vulnerabilities, and consequences.
Methodology
Thought Experiment
The TLCTC starts with a thought experiment, imagining IT as a single object with attack surfaces, then derives 10 threat clusters based on generic vulnerabilities.
Axioms
The framework is built upon explicit axioms, which are fundamental assumptions that must be accepted to validate the concept. These axioms enforce distinctions (e.g., threats vs. vulnerabilities) and define the scope.
Two-Tiered Approach
Distinguishes between a strategic management layer (high-level clusters) and an operational layer (sub-threats, TTPs).
Client-Server Model
Uses the client-server interaction model as a fundamental principle, even extending it to physical layer analysis.
Sequence Focus
Emphasizes attack sequences (attack paths) rather than just isolated threat events.
Integration
Demonstrates how the framework can integrate with existing standards and frameworks like NIST CSF, MITRE ATT&CK, STIX, and even FAIR.
Structure: 10 top-level threat clusters, each linked to a generic vulnerability
| TLCTC ID | Threat Cluster |
|---|---|
| TLCTC-01.00 | Abuse of Functions |
| TLCTC-02.00 | Exploiting Server |
| TLCTC-03.00 | Exploiting Client |
| TLCTC-04.00 | Identity Theft |
| TLCTC-05.00 | Man in the Middle |
| TLCTC-06.00 | Flooding Attack |
| TLCTC-07.00 | Malware |
| TLCTC-08.00 | Physical Attack |
| TLCTC-09.00 | Social Engineering |
| TLCTC-10.00 | Supply Chain Attack |
Key Features
Generic Vulnerability Focus
Each cluster is tied to a root cause vulnerability, not a specific technology or attack technique.
Cause-Oriented
Threats are positioned on the "cause" side of a Bow-Tie risk model.
Non-Overlapping (Claimed)
The axioms and methodology are designed to create distinct, non-overlapping clusters.
Extensible
The operational layer allows for detailed sub-threats and TTPs.
Practical Application
Provides guidance for integration with SSDLC, secure coding practices, threat intelligence, and risk assessment.
Cybersecurity Risk Foundation's CRF - Threat Taxonomy (TT) 2024
Reference: https://crfsecure.org/research/crf-threat-taxonomy/ (2025/02/21) - CRF-TT
Goal
To provide a "structured framework to enhance the understanding and response to cyber risks." It aims to be a "practical guide aimed at empowering organizations to navigate the complexities of cybersecurity."
Methodology
Less explicitly defined than TLCTC. It mentions "extensive research and expert consensus," but the derivation process for the categories isn't detailed.
Structure: A three-part framework
| Framework Section | Components | Focus |
|---|---|---|
| Threat Agents | Hacktivists, Cybercriminals, Nation-States, etc. | WHO - The actors behind threats |
| Threat Activities | Physical Threats | HOW/WHAT - Actions and vulnerabilities |
| Operational Threats | ||
| Technical Threats | ||
| Threats to an Organization | Confidentiality, Integrity, Availability impacts | EFFECT - Consequences of threats |
Threat Ratings for agents, actions and impacts are given.
Key Features
Broad Categories
Uses high-level categories like "Physical Threats," "Operational Threats," and "Technical Threats."
Actor Focus
Includes a section dedicated to categorizing threat actors.
Impact Focus
Explicitly addresses the impact of threats on the organization.
Threat Ratings
Assigns numerical threat ratings to each category.
Comparison: Consistency and Completeness
| Aspect | TLCTC Framework | CRF Threat Taxonomy |
|---|---|---|
| Methodology | Clear methodology based on thought experiment and explicit axioms. Transparent derivation process. | Lacks explicit methodology. Mentions "expert consensus" but derivation process is not detailed. |
| Structure | Consistent focus on generic vulnerabilities. Two-tiered approach with strategic and operational layers. | Mixes different concepts: actors (WHO), actions (HOW), vulnerabilities (WHAT), and consequences (EFFECT). |
| Completeness | Claims completeness within scope. Generic vulnerability focus likely covers fundamental attack surfaces. Extensible to new techniques. | Harder to assess due to lack of methodology. Broad categories may lead to gaps or overlaps. Example: supply chain attacks don't fit neatly. |
| Separation of Concerns | Strong emphasis on separating threats, actors, vulnerabilities, and consequences. | Mixes these concepts, potentially leading to confusion. |
| Practical Application | Detailed guidance with integration examples and applications across security disciplines. | Less detailed focus on practical implementation. |
| Primary Focus | Generic vulnerabilities and attack sequences | Threat actors and broad threat categories |
| Categorization Basis | Consistent basis (generic vulnerabilities) | Mixed basis (actors, activities, impacts) |
Methodology and Derivation
TLCTC
Wins on consistency due to its clearly defined methodology (thought experiment and axioms). This provides a logical basis for the categories and helps ensure they are distinct and non-overlapping. The derivation process is transparent.
CRF
Lacks a clear, explicit methodology. The derivation of the categories isn't explained, making it harder to assess their completeness or consistency.
Structure and Categorization
TLCTC
More consistent in its structure. It focuses on generic vulnerabilities as the basis for categorization, which provides a more fundamental and stable framework. The two-tiered approach allows for both strategic overview and operational detail.
CRF
Less consistent. It mixes different types of categories:
- "Threat Agents" are actors (WHO).
- "Threat Activities" are a mix of actions (HOW) and some underlying vulnerabilities (WHAT). The subcategories (Physical, Operational, Technical) are very broad and overlap. For example, "System Abuse by Authorized Personnel" could involve technical actions. "Social Engineering of Personnel" is an action, not a category of threats in the same way that "Physical Loss of Assets" is.
- "Threats to an Organization (Impacts)" are consequences (EFFECT).
This mixing of actors, actions, and consequences makes the CRF taxonomy less logically coherent than the TLCTC.
Completeness
TLCTC
Claims completeness within its scope (defined by the axioms and thought experiment). The focus on generic vulnerabilities suggests a higher likelihood of covering the fundamental attack surfaces. The extensibility (sub-threats) allows for capturing new and evolving techniques. The document explicitly addresses the question of "oversimplification" and argues that the strategic level requires abstraction.
CRF
Completeness is harder to assess due to the lack of a clear methodology. The broad categories could lead to gaps or overlaps. For example, where would a supply chain attack involving compromised firmware fit? It's not purely "Physical," "Operational," or "Technical." The CRF taxonomy doesn't provide a clear home for it. The ratings system is subjective.
Separation of Concerns
TLCTC
Strong emphasis on separating threats, threat actors, vulnerabilities, and consequences. This is a key strength for risk management and control mapping.
CRF
Mixes these concepts, which can lead to confusion.
Practical Application
TLCTC
Provides detailed guidance and examples of how to apply. Integration and clear, practical examples.
CRF
Less focus on practical application.
Conclusion
The TLCTC framework is more consistent and likely more complete than the CRF taxonomy. Here's why:
Consistent Methodology
TLCTC's use of a thought experiment and axioms provides a strong, logical foundation for its categories. The CRF taxonomy lacks this clear methodological basis.
Clear Separation of Concerns
TLCTC rigorously separates threats, actors, vulnerabilities, and consequences. The CRF taxonomy mixes these, leading to overlaps and inconsistencies.
Generic Vulnerability Focus
TLCTC's focus on generic vulnerabilities makes it more adaptable to new technologies and attack techniques. The CRF taxonomy's broad categories are less precise.
Two-Tiered Structure
TLCTC's strategic and operational levels allow for both high-level risk management and detailed threat analysis.
Completeness by design
TLCTC uses a thought experiment to derive the clusters, and the axioms.
The CRF taxonomy provides a useful starting point, but its lack of a clear methodology, inconsistent categorization, and mixing of concepts make it less robust and less suitable for comprehensive cyber risk management than the TLCTC. The TLCTC provides practical examples to apply the concept.