TLCTC Blog - 2023/02/11

Why Ten? A Comprehensive Analysis of the Top Level Cyber Threat Clusters Framework

Introduction

The Top Level Cyber Threat Clusters (TLCTC) framework proposes a structured approach to categorizing cyber threats through ten distinct clusters. This naturally raises the question: "Why ten clusters?" This analysis explores the rationale behind this number, its implications for practical implementation, and its role in the evolution of cyber threat categorization.

A Provocative Starting Point

The selection of ten clusters serves as a deliberate challenge to the cybersecurity community, particularly to major bodies like NIST and MITRE. It highlights the limitations of existing frameworks like STRIDE, which has served the industry well but struggles to address the full spectrum of modern cyber threats. The TLCTC framework demonstrates that a more comprehensive and logically consistent approach is possible, while remaining open to evolution as long as the fundamental axioms are not violated.

The Control Implementation Matrix

One of the framework's most practical benefits emerges when implementing security controls:

The Base Structure

  • 10 threat clusters × 5 NIST functions (Identify, Protect, Detect, Respond, Recover)
  • Creates a manageable 50-cell matrix with clear control objectives as the foundation

Control Classification

  • Each cell further divided into:
    • Local Controls (specific to individual systems or processes)
    • Umbrella Controls (organization-wide measures)
  • This provides clear categorization and alignment with the control objectives while maintaining manageability

Scalable Complexity

  • Organizations can start with this basic structure
  • Additional substructures and refinements added only where necessary
  • Avoids overwhelming detail in initial implementation
  • Allows for targeted complexity based on specific risk profiles

Evolutionary Potential

The framework's structure allows for evolution within certain clusters, particularly #8 (Physical Attack), #9 (Social Engineering), and #10 (Supply Chain Attack). For example, Physical Attack could legitimately be divided into two distinct top-level clusters based on different generic vulnerabilities:

Jump to White Paper Section →

  • e.g. Direct physical access attacks #8.1
  • e.g Indirect physical access attacks (like side-channel attacks) #8.2

Current State of Certainty

High Confidence Clusters (#1-#7)

The first seven clusters demonstrate strong logical consistency and clear differentiation in terms of their generic vulnerabilities and attack vectors. These categories have proven robust in practical application and align well with operational security needs:

  • Abuse of Functions
  • Exploiting Server
  • Exploiting Client
  • Identity Theft
  • Man in the Middle
  • Flooding Attack
  • Malware

Evolving Clusters (#8-#10)

These clusters represent the highest possible categorization for their respective domains:

  • Physical Attack (#8)
  • Social Engineering (#9)
  • Supply Chain Attack (#10)

While they might be refined further, their current position as top-level clusters is necessary for a complete threat landscape view. Their inclusion addresses critical gaps in existing frameworks, particularly MITRE ATT&CK, which has historically struggled to fully incorporate these aspects of cybersecurity.

The Role of Major Security Organizations

The framework's future evolution depends significantly on major security organizations, particularly MITRE, expanding their scope to encompass the full spectrum of attack paths. Current frameworks often focus on specific aspects of cybersecurity while missing the broader picture. The TLCTC framework demonstrates how a more comprehensive approach could work, while remaining open to refinement and expansion within its logical structure.

Practical Implementation Benefits

Comprehensive Coverage

  • Provides complete coverage of the threat landscape
  • Maintains manageable scope for implementation

Clear Communication

  • Facilitates consistent terminology across teams
  • Enables effective risk discussions at all organizational levels

Structured Growth

  • Allows for systematic expansion where needed
  • Maintains logical consistency through evolution

Operational Efficiency

  • Creates manageable control frameworks
  • Reduces complexity in initial implementation
  • Enables targeted detail where required

Integration Capability

  • Aligns with existing frameworks and standards
  • Supports threat intelligence integration
  • Facilitates incident response planning

Conclusion

The choice of ten clusters represents a pragmatic starting point rather than an immutable conclusion. The framework's strength lies not in the specific number of clusters but in its logical consistency and comprehensive coverage of the threat landscape. Organizations can confidently begin implementing the framework in its current form, knowing that any future refinements will maintain backward compatibility through adherence to the framework's foundational axioms.

The framework challenges the security community to think more systematically about threat categorization while providing a practical tool for immediate use. Whether it eventually expands beyond ten clusters is less important than its role in advancing the field's understanding and management of cyber threats.

This balance between current utility and future adaptability makes the TLCTC framework a valuable contribution to cybersecurity practice, regardless of whether it ultimately maintains exactly ten clusters or evolves to include more refined categorizations. The framework's success lies in its ability to provide a clear, actionable structure for understanding and managing cyber threats while remaining flexible enough to adapt to the evolving security landscape.