Most security teams are stuck telling half the story. They can tell you when it happened (Timeline) and how it happened (Technique), but they struggle to articulate why the system failed in a way that maps directly to strategic risk. It is time to synthesize.
The Fragmentation Problem
We operate in a fragmented landscape. The Cyber Kill Chain (CKC) gives us phases. MITRE ATT&CK gives us an encyclopedia of techniques. But neither explicitly categorizes the Generic Vulnerability—the root cause—that allowed the breach.
Without a root cause taxonomy, we cannot build effective metrics. You cannot measure "Phishing" (a technique) against "Firewall" (a control) effectively. You need to measure the threat cluster #9 Social Engineering against the Human asset.
We do not need to choose one framework. We need to stack them.
- CKC anchors the sequence (The Timeline).
- ATT&CK provides the granular detail (The Technique).
- TLCTC defines the root cause (The Driver).
The Tri-Layer Mental Model
Imagine every incident mapping to three distinct layers. This provides the "Rosetta Stone" for communicating with Analysts (How), Managers (When), and the Board (Why).
TLCTC is the core because it is cause-oriented. Outcomes (like "Data Loss" or "RCE") are effects, not threats. By driving with TLCTC, we ensure every step leads back to a generic vulnerability (#1-#10) that we can actually manage.
Mapping the Layers: A Cheatsheet
Here is how the layers align. Notice how multiple ATT&CK techniques often roll up into a single TLCTC Cause.
| CKC Phase | Typical ATT&CK Tactic | TLCTC Cluster (Cause) |
|---|---|---|
| Delivery | Initial Access |
#9 Social Engineering (Phish)
#10 Supply Chain (Trusted Relationship)
|
| Exploitation | Execution |
#2 Exploiting Server (Code Flaw)
#1 Abuse of Functions (Logic Abuse)
|
| Installation | Persistence |
#7 Malware (Foreign Code)
#1 Abuse of Functions (Scheduled Task)
|
| Actions on Obj. | Exfiltration / Impact |
#4 Identity Theft (Cred Use)
#6 Flooding (Capacity Abuse)
|
Real-World Application: The Attack Path
Let’s look at a standard Phishing-led Ransomware attack. Using the synthesis, we can describe it with precision.
The Narrative
- CKC: Delivery → Exploitation → Installation → Actions
- ATT&CK: T1566 (Phishing) → T1059 (Command & Scripting) → T1053 (Scheduled Task) → T1486 (Data Encrypted)
- TLCTC Analysis:
- The Phish abused human trust (#9).
- The Macro executed foreign code (#7).
- Persistence was established by abusing the legitimate Task Scheduler (#1).
- Lateral movement used stolen creds (#4) and encryption used foreign code (#7).
The TLCTC Attack Path Notation
This entire complex narrative boils down to this string for your dashboard:
#9 -> #7 -> #1 -> #4 -> (#1 + #7)(Note: The final step shows parallelism—abusing Admin tools (#1) while deploying Ransomware (#7)).
Why STRIDE is Obsolete in this Stack
You might ask, "Where does STRIDE fit?" The answer is: It doesn't.
STRIDE mixes causes (Spoofing), actions (Tampering), and effects (Information Disclosure, Denial of Service). This creates ambiguity.
- Spoofing? That’s #4 Identity Theft.
- Tampering? That’s an Integrity effect caused by #1, #2, or #8.
- DoS? That’s an Availability effect caused by #6 Flooding.
TLCTC replaces STRIDE's role by separating the Cause (The 10 Clusters) from the Effect (Data Risk Events in the Bow-Tie). This clean separation allows for the standardized notation you see above.
Conclusion: Your New Scorecard
By adopting this synthesis, you move from qualitative storytelling to quantitative risk management.
- Narrate with CKC.
- Detail with ATT&CK.
- Measure and Govern with TLCTC.
Use the 10 Top Level Cyber Threat Clusters to build your 10x(5x2) NIST scorecard. This is how we bridge the gap between the SOC analyst finding a TTP and the Board Member asking, "Are we safe?"