TLCTC Blog - 2025/04/18

Dual-Layer Notation in the TLCTC Framework: Strategic Simplicity, Operational Precision

The Need for Multi-Level Threat Representation

In the complex world of cybersecurity, having a consistent method to identify and categorize threats is essential for effective risk management. The Top Level Cyber Threat Clusters (TLCTC) framework addresses this need through a dual-notation system that bridges strategic management with operational implementation.

Two Complementary Notation Systems

Strategic Level Notation: #X → #Y Format

  • Simple Numbering: Uses #1 through #10 to represent the ten threat clusters
  • Sequence Notation: Employs arrows () to show attack progression (e.g., #9→#3→#7)
  • Parallel Execution: Uses plus signs (+) to indicate simultaneous threats (e.g., #1+#7)
  • Human-Readable: Designed for quick communication and strategic discussions
  • Management-Friendly: Facilitates high-level risk assessment and resource allocation decisions

Operational Level Notation: TLCTC-XX.YY Format

  • Structured Identifiers: Follows the TLCTC-XX.YY convention
  • Prefix: TLCTC- ensures proper attribution to the framework
  • Primary Cluster: XX represents the primary cluster number (01-10), zero-padded for consistent formatting
  • Refinement Suffix: .YY enables detailed sub-categorization (.00 designates high-level definitions)
  • Machine-Friendly: Designed for systematic processing and database integration

The Power of Dual-Layer Notation

This structured approach serves several important purposes:

  1. Bridges Strategic and Operational Levels: Connects high-level risk management with detailed implementation
  2. Machine Readability: Enables automated processing and integration with security tools
  3. Consistent Communication: Ensures threats are described the same way across different teams
  4. Extensibility: Provides a clear path for future refinement while maintaining the core structure

An Example: Physical Attack

Let's examine how both notation systems work with Physical Attack as our example:

Strategic Notation: #8

Simple representation for discussions, threat modeling, and attack path mapping

Can be used in sequences like #9→#8→#7 (social engineering leading to physical access, resulting in malware implantation)

Operational Notation: TLCTC-08.00

Formal identifier for the top-level Physical Attack cluster

Defined as: "An attacker gains unauthorized physical interaction with or causes physical interference to hardware, devices, facilities, or data transmission media (including wireless signals)."

Operational Sub-Categories:

  • TLCTC-08.01: Direct Physical Access Attacks (requiring physical contact)
  • TLCTC-08.02: Indirect Physical Access Attacks (exploiting emanations or signals)

Each sub-category retains its connection to the parent cluster while enabling more specific analysis and control implementation.

Benefits of the Dual-Notation Approach

  1. Strategic Clarity: The #X format simplifies complex concepts for executive discussions
  2. Operational Precision: The TLCTC-XX.YY format provides the granularity needed for implementation
  3. Adaptability: Organizations can use the appropriate notation based on context and audience
  4. Framework Integration: Both notations remain compatible with other security frameworks
  5. Evolution Support: The structure accommodates emerging threats while maintaining consistency

Conclusion

The TLCTC dual-notation approach provides a comprehensive system for threat identification and categorization across organizational levels. The strategic #X notation facilitates high-level discussions and attack path modeling, while the operational TLCTC-XX.YY format ensures precise implementation and machine processing.

As cybersecurity continues to evolve, having this structured dual-layer approach will become increasingly valuable for bridging the gap between strategic decision-making and operational execution.

Key Takeaway: The TLCTC framework's dual-notation system combines strategic simplicity with operational precision, creating an approach that works effectively from the boardroom to the security operations center.

Practical Applications

Strategic Communication Example

Security leaders can quickly communicate attack scenarios using the #X notation: "Our threat intelligence indicates attackers are using a #9→#3→#7 sequence targeting our industry, we need to prioritize our phishing defenses and client-side controls."

Operational Implementation Example

Security engineers can implement precise controls based on refined categories: "Implement controls for TLCTC-08.01 by restricting physical access to server rooms and TLCTC-08.02 by deploying electromagnetic shielding."

Integration Example

A SIEM system could map both notation formats—using #X for high-level dashboards and TLCTC-XX.YY for detailed rule sets—creating a multi-dimensional view of threats that combines strategic awareness with tactical specificity.

Real-World Application Examples

Let's see how these notation systems work in practice with real-world examples from our other blog posts:

CVE Enhancement Example

When analyzing the Hyper-V VSP vulnerability (CVE-2025-21333), we can use both notation systems:

  • Strategic Notation: #3→#7→#1 (Exploiting Client leading to Malware deployment and Abuse of Functions)
  • Operational Notation: TLCTC-03.00 as primary cluster with TLCTC-07.00 and TLCTC-01.00 as potential follow-up clusters

This mapped vulnerability has a clear attack path representation: Potential Preceding: [#4, #7, #8, #9] → Primary: #3 → Potential Follow-up: [#7, #1]

Read the full CVE-TLCTC integration blog

Attack Sequence Example: Emotet Campaign

A real-world Emotet attack campaign can be represented as:

  • Strategic Notation: #9→#7→#4→(#1+#7)
  • Operational Notation: TLCTC-09.00 → TLCTC-07.00 → TLCTC-04.00 → (TLCTC-01.00 + TLCTC-07.00)

This notation clearly shows the progression: Social Engineering, initial Malware (Emotet), Identity Theft (credential harvesting via Trickbot), followed by parallel Abuse of Functions (lateral movement via stolen credentials) and further Malware deployment (Ryuk ransomware).

Read the full MITRE-TLCTC integration blog