TLCTC Blog - 2025/04/29

Analysis of VERIS using TLCTC Principles

1. Executive Summary

This analysis evaluates the Vocabulary for Event Recording and Incident Sharing (VERIS) framework through the precise definitions and axiomatic principles of the Top Level Cyber Threat Clusters (TLCTC) framework.

Key Findings:

  • Definitional Divergence: VERIS, designed for incident description, lacks the strict, vulnerability-centric definitions of threats, vulnerabilities, and risks found in TLCTC. VERIS 'Actions' describe what happened, while TLCTC Clusters categorize based on the fundamental vulnerability exploited.
  • Logical Model Differences: VERIS follows a descriptive A4 (Actor, Action, Asset, Attribute) model. TLCTC utilizes an axiomatic, causal bow-tie model, rigorously separating causes (Threats/Vulnerabilities) from the central event (Loss of Control) and effects (Consequences/Impact). From a TLCTC perspective, VERIS conflates these elements.
  • Category Overlap: While VERIS's A4 dimensions are distinct, its 'Action' varieties can overlap and mix levels of abstraction. TLCTC aims for mutually exclusive strategic clusters based on unique generic vulnerabilities, handling complexity via sequences.
  • Causal Clarity: TLCTC's bow-tie explicitly distinguishes system compromise (Loss of Control) from subsequent data risk events (Loss of C/I/A), highlighting a potential detection window. VERIS captures C/I/A loss via 'Attributes' but doesn't structurally enforce this causal separation.
  • Strategic Alignment: TLCTC is built for strategic-operational linkage via its vulnerability-based clusters. VERIS excels at operational data capture but requires significant interpretation (ideally through a framework like TLCTC) to align directly with strategic risk management focused on root causes.

Key Recommendations:

  • Employ TLCTC as the primary framework for strategic threat categorization, causal analysis, and risk management due to its definitional rigor and logical structure.
  • Utilize VERIS for its strength in detailed operational incident data collection (actors, specific actions/TTPs, assets, impact quantification).
  • Integrate the frameworks by mapping detailed VERIS data (especially Action varieties/vectors) as sub-threats/TTPs within the corresponding TLCTC clusters.
  • Structure the analysis of VERIS-recorded incidents using the TLCTC bow-tie model to enhance causal understanding and strategic relevance.

2. VERIS Overview

The Vocabulary for Event Recording and Incident Sharing (VERIS) is a standardized schema designed to provide a common language for describing security incidents. Its core purpose is to enable consistent data collection about incidents, facilitating analysis, trending, sharing of anonymized information, and ultimately, better risk management decisions based on empirical data. VERIS structures incident descriptions around four primary dimensions, known as the "A4" model:

A4 Component Description Examples
Actors Identifies who acted in the incident External (nation-state, criminal), Internal (end-user), Partner, Unknown
Actions Describes what the actors did Malware, Hacking, Social, Misuse, Physical, Error, Environmental
Assets Specifies what organizational assets were affected Servers, Networks, User Devices, People, Data
Attributes Details how the assets were compromised Confidentiality, Integrity, and Availability (C/I/A)

Additionally, VERIS includes fields for timeline, discovery methods, impact assessment (including financial loss estimation), and victim demographics, allowing for rich, multi-faceted incident descriptions.

3. Detailed Analysis

3.1. DEFINITIONAL CLARITY

Concept VERIS Definition TLCTC Definition
Threat Primarily embodied in the Action (e.g., Hacking, Malware, Social) and Actor categories. It describes what action was performed and by whom. TTPs used to exploit a vulnerability. (TLCTC p. 29)
Vulnerability Not a core definitional element. Specific vulnerabilities (like CVEs) can be linked under Action types, but the framework isn't structured around types of vulnerabilities. The root weakness defining a cluster (e.g., coding flaws, IAM process flaws, human factors). (TLCTC p. 12, 16-28)
Incident The central concept – a record capturing the A4 elements, timeline, impact, etc. The central "Loss of Control" in the bow-tie. (TLCTC p. 32-33)
Risk Not defined within the A4 model. Addressed through the consequences captured in the Attribute and Impact sections. Likelihood of a Threat Cluster exploitation leading to impact. (TLCTC p. 29)

Misalignment: VERIS lacks TLCTC's precise, axiomatic definitions. The core difference lies in the starting point: VERIS describes observed incident characteristics (A4), while TLCTC categorizes based on the underlying generic vulnerability being exploited (the "why"). VERIS's Action often captures how an attack occurred (TTPs), whereas TLCTC's Cluster identifies what fundamental weakness allowed it.

Alignment: Both aim to structure information about security events. VERIS attribute compromises (C/I/A) align conceptually with TLCTC's consequences/data risk events. VERIS actor separation aligns with TLCTC's separation of threats from threat actors (Axiom V, p.13).

3.2. LOGICAL CONSISTENCY

VERIS Consistency: VERIS is consistent within its own descriptive A4 model. It provides a repeatable structure for cataloging who did what to what, and how it was affected.

TLCTC Principles: TLCTC emphasizes logical consistency derived from axioms (p.12), particularly the separation of cause (Threat/Vulnerability) from effect (Event/Consequences) and the avoidance of conflating different concepts (Axiom III, IV, p.12).

Evaluation:

  • VERIS is pragmatic, not axiomatically derived like TLCTC.
  • From the TLCTC viewpoint, VERIS conflates concepts:
    • Causes/Effects: Action (cause) is categorized alongside Attribute (effect/consequence) within the main structure. The TLCTC bow-tie strictly separates these.
    • Threats/Vulnerabilities: VERIS Action varieties often describe TTPs (Threats) without explicitly isolating the targeted Vulnerability type as the primary category, unlike TLCTC Clusters.
    • Example Conflation: A phishing attack (action.social.variety) might lead to malware execution (action.malware.variety). VERIS records both actions. TLCTC analyzes this as a sequence: #9 Social Engineering (exploiting human vulnerability) leading to #7 Malware (exploiting execution capability vulnerability). VERIS lists actions; TLCTC emphasizes the causal chain linked by exploited vulnerabilities.
  • VERIS doesn't enforce a strict causal hierarchy based on vulnerability exploitation as its primary structure.

3.3. NON-OVERLAPPING CATEGORIES

VERIS Categories:

  • The top-level A4 dimensions (Actor, Action, Asset, Attribute) are definitionally distinct.
  • Within Action, the primary types (Malware, Hacking, etc.) aim for distinction, but an incident often involves multiple types, which VERIS records.
  • The action.variety enumerations (e.g., within Hacking) can potentially overlap depending on interpretation or the specific TTP used.
  • VERIS mixes levels of abstraction: high-level Action types, specific action.variety TTPs, Asset types, Attribute impacts are all part of the incident description layer.

TLCTC Comparison:

  • TLCTC strives for mutually exclusive clusters at the strategic level, based on distinct generic vulnerabilities (Axiom I, II, p.12; p. 37, 48, 87).
  • Complexity and apparent overlap are handled by defining sequences of distinct cluster exploitations (e.g., #9 -> #4 -> #7). Overlap isn't allowed within the definition of a single cluster at the strategic level.
  • TLCTC maintains a clearer separation between Strategic (Clusters) and Operational (Sub-Threats/TTPs) levels of abstraction (Axiom IX, p.13).

Evaluation: VERIS action varieties can exhibit overlap and mix abstraction levels (methods, vectors, outcomes implicitly). TLCTC's focus on unique generic vulnerabilities per cluster enforces non-overlap at the strategic level, providing clearer categorization, with sequences handling multi-stage attacks.

3.4. SYSTEM VS. DATA RISK EVENTS

VERIS Handling:

  • System Compromise: Captured implicitly through the combination of Action (e.g., Malware, Hacking) affecting an Asset (e.g., Server, Endpoint). There is no single field explicitly labeling "System Compromise" or "Loss of Control."
  • Data Risk Events: Clearly captured via the Attribute dimension (Confidentiality, Integrity, Availability) and detailed sub-fields like attribute.confidentiality.data_disclosure. The Impact section quantifies the result.

TLCTC Model:

  • The bow-tie model (p. 32-34, 38) explicitly separates the Threat Cluster exploitation (Cause) from the central Loss of Control/System Compromise event (Pivot) and the subsequent Data Risk Events (Consequences - C/I/A loss).
  • Crucially, TLCTC notes that the Loss of Control event can precede the Data Risk Event (p. 32-33), creating a potential detection window.

Assessment: VERIS effectively records that data compromise (C/I/A loss) occurred and what actions were involved. However, it lacks the explicit structural separation of the TLCTC bow-tie, which distinguishes the initial system compromise ("Loss of Control") as a distinct pivot point potentially separate in time from the ultimate data impact. This structural separation in TLCTC provides enhanced causal clarity and highlights operational significance (detection windows).

3.5. POTENTIAL SYNERGIES

VERIS Strengths Enhancing TLCTC TLCTC Principles Addressing VERIS Limitations
Operational Granularity: VERIS's rich enumerations provide the detailed evidence needed to populate TLCTC's operational layer. Strategic Framework: TLCTC provides a non-overlapping, vulnerability-based strategic categorization layer that VERIS lacks natively.
Data Schema: Provides a mature, practical schema for capturing the raw incident details. Causal Structure: The TLCTC bow-tie imposes a rigorous causal logic that can structure and clarify the relationships between elements described in VERIS.
Impact Quantification: VERIS's structured impact section is more detailed than TLCTC's general concept of consequences. Definitional Rigor: Applying TLCTC's definitions helps disambiguate and consistently interpret VERIS data, reducing conflation.
Root Cause Focus: TLCTC guides analysis towards the initial generic vulnerability exploited, complementing VERIS's description of the event sequence.

3.6. STRATEGIC RISK MANAGEMENT INTEGRATION

VERIS Integration: VERIS data informs risk management by revealing operational trends (common actions, actors, assets, impacts). This helps identify control weaknesses and quantify losses. However, aggregating this detailed, event-focused data into high-level, strategic risk categories aligned with fundamental threat types (rather than specific actions) requires interpretation and often lacks a direct, repeatable mechanism within VERIS itself.

TLCTC Integration: TLCTC is explicitly designed to bridge strategic and operational levels (p. 2, 8, 32, 86-88). The 10 clusters, defined by generic vulnerabilities, provide a stable, high-level taxonomy suitable for:

  • Defining strategic risk appetite per threat type (Cluster).
  • Aligning strategic resource allocation based on exposure to fundamental vulnerabilities.
  • Communicating cyber risk posture to leadership using a manageable set of categories (e.g., via Cyber Threat Radars, p. 72-73).
  • Mapping high-level controls (e.g., NIST CSF functions, p. 78).

Assessment & Recommendations: VERIS provides the essential operational data feed, while TLCTC supplies the necessary strategic framework and causal logic. To enhance VERIS for strategic alignment using TLCTC:

  • Mandatory Mapping: Require mapping each VERIS incident to a primary initiating TLCTC cluster during analysis.
  • Strategic Reporting: Aggregate VERIS incident frequency and impact data based on the mapped TLCTC clusters for strategic dashboards and risk reporting.
  • KRI Development: Use TLCTC clusters to define strategic KRIs, which are then measured using analysis of underlying VERIS data trends.

3.7. CASE STUDY

Scenario: Phishing email leads to credential theft and ransomware

Phishing email (#9) leads employee to enter credentials on a fake site (#4), attacker uses creds to access server (#1 or #2 depending on how access works) and deploys ransomware (#7).

VERIS Analysis TLCTC Analysis
Actor: External (Org Crime, Financial motive)
Actions: Social (Phishing, Email); Hacking (Use of stolen creds, Web App/Remote access); Malware (Ransomware, Downloaded/Launched)
Assets: People (Employee); Data (Credentials); Server (File Server); Data (Files)
Attributes: Confidentiality (Credentials); Integrity (Files encrypted, Software installed); Availability (Files encrypted)
Impact: Financial (Response, Ransom?), Operational disruption 		Sequence: #9 (Social Eng) -> #4 (Identity Theft) -> #1 (Abuse of Functions - using legit access via creds) / #2 (Exploiting Server - if vuln used post-auth) -> #7 (Malware - ransomware)
Central Event: Loss of Control (Account, then Server)
Consequences: Loss of C/I/A (Credentials, Files)
Insight: Detailed inventory of actions, assets, and impacts. Describes what happened. Insight: Causal chain based on exploited generic vulnerabilities (Human -> IAM -> Function Scope/Server Code -> Execution Env). Provides immediate strategic category.

Practical Implications:

  • VERIS provides the detailed evidence. TLCTC provides the strategic categorization and causal explanation ("Why").
  • A VERIS-only view might show peaks in "Phishing" and "Ransomware". A TLCTC view highlights vulnerabilities in human factors (#9), identity management (#4), access control (#1), and code execution controls (#7) are being successfully chained.
  • This TLCTC perspective might lead to different strategic investments (e.g., stronger MFA and IAM [#4], better EDR [#7], principle of least privilege [#1]) compared to only focusing on email filters (#9) and AV (#7).

3.8. MAPPING VERIS ACTION CATEGORIES TO TLCTC CLUSTERS

A critical enhancement to the integration of these frameworks is a systematic mapping between VERIS's detailed Action categories and TLCTC's Threat Clusters. This mapping provides the operational-to-strategic bridge essential for effective threat intelligence:

VERIS Action Category Primary TLCTC Cluster(s) Rationale
Social
Phishing #9 Social Engineering Exploits human vulnerability to deception
Pretexting #9 Social Engineering Exploits human vulnerability to deception
Bribery #9 Social Engineering Exploits human vulnerability to influence
Hacking
SQL Injection #2 Exploiting Server Exploits flaws in server-side code implementation
XSS #2 Exploiting Server Exploits flaws in server-side output handling
Brute Force #4 Identity Theft Targets credential acquisition through systematic guessing
Use of stolen creds #4 Identity Theft Exploits weak IAM processes (stolen credentials)
Malware
Ransomware #7 Malware Exploits code execution capability
Backdoor #7 Malware Exploits code execution capability
Spyware #7 Malware Exploits code execution capability
Physical
Theft #8 Physical Attack Exploits physical accessibility
Tampering #8 Physical Attack Exploits physical accessibility

Critical Mapping Considerations:

  1. Context Sensitivity: Some VERIS action varieties require contextual analysis to determine the correct TLCTC cluster. For example, "Exploitation of vulnerability" could map to #2 or #3 depending on whether it's server or client-side.
  2. Attack Sequencing: VERIS may record multiple actions for a single incident that TLCTC would consider a sequence. It's crucial to determine which action represents the initial vector versus follow-on activities.
  3. Vector Importance: VERIS's "action.x.vector" field often provides critical information for determining the correct TLCTC cluster (e.g., "Email" vector for phishing indicates #9).
  4. Operational-Strategic Translation: This mapping transforms VERIS's operational descriptions into TLCTC's strategic categorization, enabling more effective communication with leadership about fundamental vulnerability types being exploited.
  5. Threat Intelligence Enhancement: By mapping VERIS incidents to TLCTC clusters using this framework, organizations can:
    • Group similar TTPs based on the fundamental vulnerability exploited
    • Develop strategic defensive measures addressing root causes
    • Prioritize controls based on exploited vulnerability trends
    • Communicate risk in business-relevant terms aligned with strategic objectives

4. Integration Recommendations

  1. Adopt TLCTC for Strategic Categorization: Use the 10 TLCTC clusters as the authoritative high-level framework for categorizing threats based on the root generic vulnerability exploited. This layer is essential for strategic risk management and communication.
  2. Map VERIS Detail to TLCTC Operational Layer: Treat VERIS action.variety and action.vector data as Tactics, Techniques, and Procedures (TTPs) or "sub-threats" that fall within one or more TLCTC clusters based on the vulnerability they exploit in a specific incident context. Maintain a mapping dictionary as outlined in section 3.8.
  3. Utilize VERIS for Data Capture: Leverage the comprehensive VERIS schema for detailed, consistent recording of incident specifics (Actors, Actions, Assets, Attributes, Timeline, Discovery, Impact).
  4. Structure Analysis with TLCTC Bow-Tie: When analyzing incidents recorded via VERIS, apply the TLCTC bow-tie model:
    • Identify the initiating TLCTC cluster(s).
    • Pinpoint the "Loss of Control" / "System Compromise" event.
    • Map VERIS attribute and impact data to the Consequences side.
    • Use VERIS timeline data and identified Action sequences to map the TLCTC cluster sequence (e.g., #9 -> #4 -> #7).
  5. Dual-Layer Reporting: Produce operational reports using granular VERIS data. Generate strategic reports by aggregating VERIS incident frequency and impact metrics according to their primary mapped TLCTC cluster, providing leadership with a view aligned to fundamental risk areas.
  6. Consider TLCTC Tagging: Optionally, enhance VERIS implementations by adding a custom field (e.g., plus.tlctc_primary_cluster, plus.tlctc_sequence) to store the TLCTC categorization derived during analysis directly within the incident record.
  7. Implement a Standardized Mapping Reference: Develop and maintain an organization-specific reference document mapping VERIS action varieties to TLCTC clusters based on the framework provided in section 3.8, updated regularly as new techniques emerge.

5. Conclusion

VERIS and TLCTC offer distinct but highly complementary capabilities for understanding and managing cyber risk. VERIS provides an invaluable, detailed vocabulary and schema for describing the observable characteristics of security incidents, making it ideal for operational data collection, trending, and sharing. TLCTC, grounded in axioms and focused on generic vulnerabilities, delivers a logically consistent, non-overlapping framework for categorizing threats strategically and analyzing incidents through a clear causal lens (the bow-tie model).

The systematic mapping between VERIS action categories and TLCTC clusters creates a powerful bridge between operational data and strategic risk management, enabling organizations to derive more meaningful insights from their incident data and implement more effective defensive measures targeting fundamental vulnerabilities.

While VERIS captures what happened, TLCTC explains why it happened in terms of fundamental weaknesses. Integrating the two frameworks—using TLCTC as the strategic, causal overlay and VERIS for the operational detail—allows organizations to bridge the gap between granular incident data and high-level risk management, leading to more informed decisions, targeted control implementation, and a more robust cybersecurity posture.