TLCTC Blog - 2025/02/14
Critical Analysis: FAIR Integration with TLCTC
Overview
FAIR (Factor Analysis of Information Risk) provides a robust framework for quantifying information security risk but lacks a structured approach to threat categorization and struggles with modeling complex attack sequences. The TLCTC framework, using its `TLCTC-XX.YY` enumeration, can enhance FAIR's capabilities by providing both precise threat categorization and a methodology for understanding attack sequences.
Current State Analysis
FAIR's Strengths
- Strong quantitative risk analysis methodology
- Clear framework for calculating loss magnitude
- Established approach to control effectiveness evaluation
- Proven methodology for risk prioritization
FAIR's Limitations
- Lacks explicit, standardized threat categorization
- Struggles with modeling complex, multi-stage attacks
- Limited ability to represent parallel threat execution
- Oversimplified view of attack sequences
- Difficulty in modeling threat interdependencies
TLCTC's Complementary Capabilities
- Precise threat categorization through 10 distinct clusters (e.g., TLCTC-01.00 to TLCTC-10.00)
- Clear attack sequence notation using cluster identifiers (e.g., TLCTC-09.00 -> TLCTC-03.00 -> TLCTC-07.00)
- Support for parallel threat execution (e.g., (TLCTC-01.00 + TLCTC-07.00))
- Bow-tie model separating causes from consequences
- Structured approach to control mapping via NIST CSF functions
Enhanced Integration Framework
1. Risk Quantification Enhancements
Sequence Complexity Factor (SCF)
- Accounts for attack path length and complexity (using TLCTC sequences)
- Incorporates parallel threat execution (using TLCTC notation)
- Adjusts base risk calculations for complex scenarios
Compound Threat Multipliers (CTM)
- Models simultaneous threat execution (e.g., (TLCTC-01.00 + TLCTC-07.00))
- Accounts for threat synergy effects
- Enhances probability calculations for complex attacks
Path Variance Analysis (PVA)
- Evaluates multiple potential attack paths (represented by TLCTC sequences)
- Weights alternative attack sequences
- Provides more accurate total risk assessment
Control Effectiveness Matrices (CEM)
- Maps control effectiveness across multiple TLCTC clusters
- Accounts for sequence position in effectiveness calculations
- Provides more accurate defense capability assessment
2. Implementation Framework
| Phase | Activities |
|---|---|
| Threat Modeling Phase |
|
| Risk Analysis Phase |
|
| Risk Reporting Phase |
|
Real-World Application Example
Using the Emotet attack sequence from the whitepaper, now with TLCTC enumeration:
TLCTC-09.00 -> TLCTC-07.00 -> TLCTC-07.00 -> TLCTC-04.00 -> (TLCTC-01.00 + TLCTC-07.00)
(Sequence: Social Engineering -> Malware -> Malware -> Identity Theft -> (Abuse of Functions + Malware))
Enhanced FAIR Analysis
- Calculate base risk using traditional FAIR
- Apply SCF for the 5-step sequence identified via TLCTC
- Apply CTM for the parallel execution (TLCTC-01.00 + TLCTC-07.00)
- Consider alternative attack paths (PVA) modeled with TLCTC sequences
- Evaluate control effectiveness across the sequence using CEM mapped to TLCTC clusters
Benefits of Integration
1. More Accurate Risk Quantification
- Accounts for attack sequence complexity via TLCTC paths
- Models parallel threat execution per TLCTC notation
- Considers multiple attack paths defined by TLCTC sequences
2. Improved Control Evaluation
- Maps controls to specific TLCTC clusters
- Evaluates effectiveness across TLCTC-defined attack sequences
- Provides more precise defense planning
3. Enhanced Communication
- Clear, standardized threat categorization (TLCTC-XX.YY)
- Standardized attack sequence notation (-> and + with TLCTC IDs)
- Improved stakeholder understanding
4. Better Resource Allocation
- More precise risk prioritization informed by TLCTC analysis
- Clearer control implementation guidance tied to TLCTC clusters
- Better-informed investment decisions
Specific FAIR Enhancement Proposals (Conceptual with TLCTC Notation)
1. Sequence Complexity Factor (SCF)
# Concept: Adjust risk based on sequence length and parallel steps
# Example using Emotet sequence:
# TLCTC-09.00 -> TLCTC-07.00 -> TLCTC-07.00 -> TLCTC-04.00 -> (TLCTC-01.00 + TLCTC-07.00)
# Sequence_Length = 5 steps
# Parallel_Threats = 1 instance (at the end)
# SCF modifier would reflect this complexity.
2. Compound Threat Multipliers (CTM)
# Concept: Increase probability/impact when threats execute in parallel
# Example: (TLCTC-01.00 + TLCTC-07.00)
# The multiplier reflects the increased risk from executing
# Abuse of Functions and Malware deployment simultaneously.
3. Path Variance Analysis (PVA)
# Concept: Calculate risk for multiple potential paths using TLCTC notation.
# Pegasus campaign path examples:
# Path 1: TLCTC-09.00 -> TLCTC-03.00 -> TLCTC-07.00 (Risk_P1)
# Path 2: (TLCTC-05.00 + TLCTC-04.00) -> TLCTC-03.00 -> TLCTC-07.00 (Risk_P2)
# Path 3: (TLCTC-01.00 + TLCTC-05.00) -> TLCTC-03.00 -> TLCTC-07.00 (Risk_P3)
# Total Risk = Function(Risk_P1, Risk_P2, Risk_P3, ...)
4. Control Effectiveness Matrices (CEM)
# Concept: Evaluate control effectiveness against each specific TLCTC cluster.
# Example Control: Security Awareness Training
# Effectiveness vs TLCTC-09.00 (Social Eng.): Moderate/High
# Effectiveness vs TLCTC-03.00 (Exploiting Client): Low/None
# Effectiveness vs TLCTC-07.00 (Malware): Low/None
# CEM reflects effectiveness per cluster within the attack sequence.
Final Risk Calculation
The final enhanced FAIR risk score conceptually integrates these factors, using TLCTC for structure:
The final enhanced FAIR risk score can be calculated as:
Enhanced_FAIR_Risk = Function(Base_FAIR_Risk, SCF(TLCTC_Seq), CTM(TLCTC_Parallel), PVA(TLCTC_Paths), CEM(TLCTC_Clusters))
(Note: The exact mathematical integration requires specific modeling choices beyond this conceptual outline.)