TLCTC Threat Classification Decision Tree
Practical tool for systematic threat cluster identification
Important: This is a Tool, Not the Source of Truth
The 10 Top Level Cyber Threat Clusters derive from systematic thought experiment and axioms, not from this decision tree. This tree is a practical aid for operational classification. When uncertain about classification, always consult the authoritative TLCTC cluster definitions, generic vulnerabilities, and contexts from the framework itself.
Based on TLCTC Framework v2.0 - Always start with the fundamental question: "What generic vulnerability is being exploited?"
Key Distinction Criteria
- Intended vs Unintended: Was the capability designed to work this way?
- Foreign vs Existing: Is new code being executed or existing functions being used?
- Exploit Code vs Malware Code: Code to trigger bugs vs code for malicious execution
- Client vs Server Role: Who initiates the request/interaction?
Primary Classification Tree
1. Is this targeting human psychology/behavior directly?
YES →
#9 Social Engineering
Exploits human gullibility, trust, fear, urgency, authority bias, curiosity
Exploits human gullibility, trust, fear, urgency, authority bias, curiosity
NO → Continue to question 2
↓
2. Does this require physical interaction/access to hardware, facilities, or signals?
YES →
#8 Physical Attack
Direct physical access (tampering, theft) or indirect (TEMPEST, jamming)
Direct physical access (tampering, theft) or indirect (TEMPEST, jamming)
NO → Continue to question 3
↓
3. Is this exploiting a position on the communication path between parties?
YES →
#5 Man in the Middle
Leveraging privileged position (local network, compromised intermediary) to intercept/modify
Leveraging privileged position (local network, compromised intermediary) to intercept/modify
NO → Continue to question 4
↓
4. Is the primary goal to overwhelm finite capacity/resources?
YES →
#6 Flooding Attack
Exhausting bandwidth, CPU, memory, storage, API limits, process pools
Exhausting bandwidth, CPU, memory, storage, API limits, process pools
NO → Continue to question 5
↓
5. Is this targeting third-party components, services, or supply chain trust relationships?
YES →
#10 Supply Chain Attack
Compromising trusted software updates, dependencies, hardware, build pipelines
Compromising trusted software updates, dependencies, hardware, build pipelines
NO → Continue to question 6
↓
6. Is this specifically targeting authentication mechanisms or credential acquisition/misuse?
YES →
#4 Identity Theft
Stealing credentials, compromising authentication with valid credentials, credential harvesting forms
Stealing credentials, compromising authentication with valid credentials, credential harvesting forms
NO → Continue to question 7
↓
7. Does this involve executing foreign code (new code not originally part of the system)?
YES →
#7 Malware
Malware Code execution OR dual-use tools (PowerShell, PsExec) used maliciously
Malware Code execution OR dual-use tools (PowerShell, PsExec) used maliciously
NO → Continue to question 8
↓
8. Does this exploit unintended code flaws/bugs using Exploit Code?
YES → Go to Server/Client determination
8a. Is the vulnerable code running in a server role (providing service)?
YES →
#2 Exploiting Server
SQL injection, buffer overflows in server code, RCE via deserialization
SQL injection, buffer overflows in server code, RCE via deserialization
NO →
#3 Exploiting Client
DOM-based XSS, client library buffer overflows, browser rendering exploits
DOM-based XSS, client library buffer overflows, browser rendering exploits
NO → Continue to question 9
↓
9. Is this abusing legitimate, designed functionality beyond intended scope?
YES →
#1 Abuse of Functions
Misusing API functionalities, parameter tampering, BGP hijacking, insecure configurations
Misusing API functionalities, parameter tampering, BGP hijacking, insecure configurations
NO → Review classification - may be complex sequence or edge case requiring expert analysis
Critical Code Type Distinctions
Exploit Code (#2/#3)
- Purpose: Triggers specific code flaws/bugs
- Target: Unintended vulnerabilities
- Examples: Buffer overflow shellcode, SQL injection payloads
- Mechanism: Exploits implementation mistakes
Malware Code (#7)
- Purpose: Executes within designed capabilities
- Target: Execution environments
- Examples: Ransomware, trojans, malicious scripts
- Mechanism: Abuses execution capability
Common Classification Examples
Process Injection Scenarios:
- #1: Using legitimate Windows debugging APIs (DLL injection) - designed functionality
- #2/#3: Buffer overflow leading to code injection - exploits implementation flaw
Credential Scenarios:
- #4: Phishing form harvesting passwords - targets credential acquisition
- #4→#1: Stolen credentials used beyond intended scope - sequence attack
MFA Bombing Example:
- Sequence #4→#1→#9→#4: Stolen credentials → Abuse MFA request function → Social engineering for approval → Complete identity theft
PowerShell Usage:
- #7: Attacker-introduced PowerShell script - foreign malware code
- #1: Abusing legitimate PowerShell installation beyond intended scope
Decision Tree Usage Guidelines
- Start with the generic vulnerability: What fundamental weakness is being exploited?
- Follow the sequence: Work through questions systematically
- Consider context: Same technique may map differently based on implementation
- Use sequences for complex attacks: Many real attacks involve multiple clusters (#9→#3→#7)
- Focus on root cause: Classify based on the initial vulnerability, not the impact