MITRE ATT&CK & STIX Integration with TLCTC

Abstract

This post details how the TLCTC framework complements MITRE ATT&CK and STIX by providing a standardized, high-level threat categorization. We explore how to create enhanced STIX objects and model complex attack sequences (e.g., Emotet, SolarWinds) using TLCTC's strategic notation to bridge the gap between operational security and strategic risk management.

The Challenge

The cybersecurity landscape faces a critical challenge: fragmented threat intelligence that fails to effectively connect strategic risk management with operational security execution. While frameworks like MITRE ATT&CK and STIX enable detailed threat intelligence sharing, they lack a standardized high-level threat categorization system that aligns threat intelligence with risk management and security operations.

Current State Analysis

Framework	Current Limitations	Integration Need
MITRE ATT&CK	Lacks high-level strategic framework Overemphasis on post-compromise No standardized initial access mapping	Map techniques to strategic threat clusters
STIX	No standardized categorization Limited attack sequence representation No strategic-operational bridge	Enhance with structured threat taxonomy (using TLCTC)

Introduction

In today's dynamic cybersecurity landscape, frameworks that capture the full complexity of threats and risk management are essential. While MITRE ATT&CK and CWE provide detailed catalogs of adversary tactics and underlying vulnerabilities, they operate largely at a tactical level. The TLCTC (Top Level Cyber Threat Clusters) framework complements these established tools by offering an overarching overlay that bridges attack path representation, cybersecurity control management, and integration with strategic risk frameworks like the NIST CSF, using the standardized TLCTC-XX.YY notation.

Understanding MITRE ATT&CK and CWE

MITRE ATT&CK is renowned for its comprehensive listing of tactics, techniques, and procedures (TTPs), while CWE classifies software weaknesses. These frameworks excel in providing granular detail about how adversaries operate and what vulnerabilities exist. However, they do not inherently offer a high-level conceptual overlay that maps these elements into coherent attack paths or ties them directly to enterprise-level control objectives using a consistent enumeration.

The TLCTC Overlay Concept

The TLCTC framework introduces a unified taxonomy that is derived from fundamental cybersecurity principles. By establishing a one-to-one mapping between generic vulnerabilities and distinct threat clusters (identified as TLCTC-XX.00), TLCTC fills the gap left by MITRE and CWE. It enables:

Attack Path Representation
Modeling of complex, multi-stage attacks through sequences of threat cluster identifiers (e.g., TLCTC-09.00 → TLCTC-03.00 → TLCTC-07.00), illustrating the progression of an attack in a logical sequence.
```
Strategic: #9→#3→#7
Operational: TLCTC-09.00→TLCTC-03.00→TLCTC-07.00
```
Cybersecurity Control Management
Direct linkage between threat clusters (TLCTC-XX.YY) and control objectives, which supports both technical mitigation and strategic risk management using NIST CSF functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER).
Integration with Enterprise Frameworks
Seamless mapping to frameworks like the NIST CSF, ensuring that tactical threat data aligns with organizational risk profiles and enables communication from SOC to board level.
Enhanced Threat Intelligence Exchange
Standardized descriptors (TLCTC-XX.YY) and structured attack sequences that facilitate clear and actionable communication across organizations and borders.

Benefits of the Complementary Approach

By overlaying MITRE ATT&CK and CWE with the TLCTC framework and its standardized notation, organizations gain a more complete picture of cyber threats:

Holistic Coverage:
TLCTC not only captures all the detailed techniques provided by MITRE but also extends them to represent the full attack path (using TLCTC-XX.YY sequences) and its subsequent business impact through the bow-tie model.
Strategic Integration:
It bridges the gap between tactical threat intelligence and strategic risk management, making it easier to prioritize security investments and mitigation strategies.
Operational Flexibility:
The framework's design accommodates repeated exploitation of the same vulnerability (e.g., multiple instances of TLCTC-07.00 in a sequence) in different contexts—such as during lateral movement—without compromising its logical consistency.
Clear Responsibility Boundaries:
Using #10 (Supply Chain Attack) as a domain boundary marker within sequences clearly shows where trust relationships are exploited and responsibility shifts between entities.
Call to Action for Standard Bodies:
TLCTC invites MITRE and similar organizations to integrate this overlay, enriching their models with capabilities that address modern cyber risk comprehensively using clear enumeration.

Critical Distinctions in TLCTC v1.9.1

Loss of Control vs. Data Risk Events: Loss of Control (system compromise) is the central bow-tie event. Data Risk Events (Loss of Confidentiality, Loss of Integrity, Loss of Availability) are consequences that follow.
Credential Dual Nature: Credential acquisition maps to the enabling threat cluster (e.g., #2, #5, #7, #9) and results in Loss of Confidentiality. Credential USE always maps to #4 Identity Theft and results in Loss of Control.
LOLBAS and #1→#7 Sequences: Living Off The Land techniques involve BOTH clusters: #1 (Abuse of Functions) for the invocation/enabling mechanism, and #7 (Malware) for the actual foreign code/script execution.
Supply Chain (#10) Positioning: #10 can appear mid-sequence to mark domain/trust boundaries where legitimate actions in one sphere become supply-chain compromises for downstream victims.
Parallel Execution: Use (#1+#7) notation to show simultaneous actions in the final attack stage.

Conclusion

In summary, the TLCTC framework is not intended to replace MITRE ATT&CK or CWE, but to complement them by providing a high-level overlay using the TLCTC-XX.YY notation. This enhances attack path visualization, control management, and integration with enterprise risk frameworks. This complementary approach offers a more robust, logically consistent method for threat modeling in today's complex cybersecurity environment. It is a call to action for standard bodies to consider integrating TLCTC elements, thereby strengthening the collective defense against evolving cyber threats.

Integration Framework

Enhanced STIX Objects

The following examples show how STIX objects can be created or extended to incorporate the TLCTC framework using the TLCTC-XX.YY notation.

STIX Threat Cluster Object (Custom Object Example)


{
  "type": "x-threat-cluster",
  "spec_version": "2.1",
  "id": "x-threat-cluster--f81d4fae-7dec-11d0-a765-00a0c91e6bf6",
  "created": "2025-11-14T18:20:00.000Z",
  "modified": "2025-11-14T18:20:00.000Z",
  "name": "Abuse of Functions",
  "x_tlctc_id": "TLCTC-01.00",
  "x_strategic_notation": "#1",
  "definition": "An attacker abuses the logic or scope of existing, legitimate software functions, features, or configurations for malicious purposes through standard interfaces using expected input types (data, parameters, configurations, sequence of actions), but in a way that subverts the intended purpose or security controls.",
  "x_generic_vulnerability": "The scope, complexity, or inherent trust placed in legitimate software functions, features, and configurations.",
  "x_asset_type": "Software (Its logic, functions, and configuration)",
  "x_attacker_perspective": "I abuse a functionality, not a coding issue.",
  "x_key_distinction": "Data manipulation through legitimate functions. Does NOT create data→code transitions. When function abuse invokes/enables foreign code execution, map as #1→#7 sequence.",
  "x_data_code_transition": {
    "creates_transition": false,
    "note": "Data remains data. No foreign code execution occurs in pure #1."
  },
  "x_lolbas_handling": {
    "invocation": "TLCTC-01.00",
    "execution": "TLCTC-07.00",
    "sequence": "TLCTC-01.00→TLCTC-07.00",
    "explanation": "The invocation of the execution capability is #1, but the execution of foreign code/scripts is #7. Both clusters apply sequentially."
  },
  "external_references": [
    {
      "source_name": "mitre-attack",
      "external_id": "T1548"
    },
    {
      "source_name": "mitre-attack",
      "external_id": "T1059",
      "description": "Command and Scripting Interpreter - when used to execute foreign code, maps as #1→#7 sequence"
    }
  ]
}

Note on Custom Properties

The x_ prefix denotes custom properties according to STIX 2.1 conventions. All TLCTC-specific fields use this prefix for compatibility.

STIX Attack Sequence Object (Custom Object Example)


{
  "type": "x-attack-sequence",
  "spec_version": "2.1",
  "id": "x-attack-sequence--d81d4fae-7dec-11d0-a765-00a0c91e6bf6",
  "created": "2025-11-14T18:20:00.000Z",
  "modified": "2025-11-14T18:20:00.000Z",
  "name": "Phishing to Malware Execution Chain",
  "description": "Common attack path starting with phishing leading to client-side exploitation and malware execution.",
  "x_tlctc_sequence": [
    "TLCTC-09.00",
    "TLCTC-03.00",
    "TLCTC-07.00"
  ],
  "x_strategic_sequence": "#9→#3→#7",
  "x_sequence_explanation": {
    "step_1": {
      "cluster": "TLCTC-09.00",
      "name": "Social Engineering",
      "action": "Phishing email deceives user into opening malicious attachment"
    },
    "step_2": {
      "cluster": "TLCTC-03.00",
      "name": "Exploiting Client",
      "action": "Client-side vulnerability exploited to achieve code execution"
    },
    "step_3": {
      "cluster": "TLCTC-07.00",
      "name": "Malware",
      "action": "Malware payload executes via designed execution capability"
    }
  },
  "x_initial_cluster_ref": "x-threat-cluster--social-engineering-uuid",
  "x_subsequent_cluster_refs": [
    "x-threat-cluster--exploiting-client-uuid",
    "x-threat-cluster--malware-uuid"
  ],
  "x_mitre_technique_refs": [
    "attack-pattern--mitre-t1566-uuid",
    "attack-pattern--mitre-t1204-uuid",
    "attack-pattern--mitre-t1059-uuid"
  ],
  "x_observed_frequency": "high",
  "x_first_observed": "2024-01-01T00:00:00Z",
  "x_last_observed": "2025-11-14T00:00:00Z"
}

Enhanced STIX Attack Pattern Object (Extension Example)


{
  "type": "attack-pattern",
  "spec_version": "2.1",
  "id": "attack-pattern--c81d4fae-7dec-11d0-a765-00a0c91e6bf6",
  "created": "2025-11-14T10:00:00.000Z",
  "modified": "2025-11-14T10:00:00.000Z",
  "name": "Spearphishing Attachment",
  "description": "Adversaries may send spearphishing emails with malicious attachments in an attempt to gain access to victim systems. The attachment can contain malicious code that exploits vulnerabilities or relies on user execution.",
  "kill_chain_phases": [{
    "kill_chain_name": "mitre-attack",
    "phase_name": "initial-access"
  }],
  "external_references": [{
    "source_name": "mitre-attack",
    "external_id": "T1566.001",
    "url": "https://attack.mitre.org/techniques/T1566/001/"
  }],
  "x_tlctc_mapping": {
    "primary_cluster_id": "TLCTC-09.00",
    "primary_cluster_strategic": "#9",
    "primary_cluster_name": "Social Engineering",
    "primary_cluster_ref": "x-threat-cluster--social-engineering-uuid",
    "secondary_cluster_ids": ["TLCTC-03.00", "TLCTC-07.00"],
    "secondary_cluster_strategic": ["#3", "#7"],
    "secondary_cluster_refs": [
      "x-threat-cluster--exploiting-client-uuid",
      "x-threat-cluster--malware-uuid"
    ],
    "generic_vulnerability_exploited": "Human susceptibility to deception, trust, ignorance, fear, urgency, authority bias, or curiosity",
    "attack_sequence_context": {
      "is_typically_initial": true,
      "is_typically_subsequent": false,
      "typical_sequence_strategic": "#9→#3→#7",
      "typical_sequence_operational": "TLCTC-09.00→TLCTC-03.00→TLCTC-07.00",
      "sequence_explanation": "Social engineering (phishing) leads to client-side exploitation, which enables malware execution"
    },
    "bow_tie_position": {
      "layer": "cause_side",
      "leads_to": "Loss of Control (system compromise)",
      "potential_consequences": [
        "Loss of Confidentiality",
        "Loss of Integrity",
        "Loss of Availability"
      ]
    }
  }
}

Real-World Implementation Examples

Example 1: Emotet Campaign Attack Sequence

Strategic Notation: #9→#7→#7→#4→(#1+#7)
Operational Notation: TLCTC-09.00→TLCTC-07.00→TLCTC-07.00→TLCTC-04.00→(TLCTC-01.00+TLCTC-07.00)

This notation clearly shows the progression:

#9 Social Engineering: Phishing email with malicious attachment
#7 Malware: Emotet dropper executes via macro
#7 Malware: Trickbot download and execution (second malware stage)
#4 Identity Theft: Credential harvesting via Trickbot (credential USE)
(#1+#7) Parallel: Simultaneous lateral movement via stolen credentials (Abuse of Functions) AND Ryuk ransomware deployment (Malware)

Note on Repeated Clusters

The sequence shows TLCTC-07.00 appearing twice (#7→#7). This is correct and intentional - it represents two distinct malware execution stages: first the Emotet dropper, then the Trickbot payload. The framework accommodates repeated exploitation of the same threat cluster in different contexts.


{
  "type": "x-attack-sequence",
  "spec_version": "2.1",
  "id": "x-attack-sequence--emotet-example-001",
  "created": "2025-11-14T10:00:00.000Z",
  "modified": "2025-11-14T10:00:00.000Z",
  "name": "Emotet Campaign (Phishing to Ransomware)",
  "description": "Typical Emotet attack chain involving phishing, multi-stage malware deployment, credential theft, lateral movement, and ransomware deployment.",
  "x_tlctc_sequence": [
    "TLCTC-09.00",
    "TLCTC-07.00",
    "TLCTC-07.00",
    "TLCTC-04.00",
    ["TLCTC-01.00", "TLCTC-07.00"]
  ],
  "x_strategic_sequence": "#9→#7→#7→#4→(#1+#7)",
  "x_sequence_breakdown": [
    {
      "step": 1,
      "cluster": "TLCTC-09.00",
      "strategic": "#9",
      "name": "Social Engineering",
      "description": "Phishing email with malicious Word document attachment",
      "mitre_techniques": ["T1566.001"]
    },
    {
      "step": 2,
      "cluster": "TLCTC-07.00",
      "strategic": "#7",
      "name": "Malware",
      "description": "Emotet malware executes via macro in document",
      "mitre_techniques": ["T1204.002", "T1059.005"]
    },
    {
      "step": 3,
      "cluster": "TLCTC-07.00",
      "strategic": "#7",
      "name": "Malware",
      "description": "Trickbot downloaded and executed as second-stage payload",
      "mitre_techniques": ["T1105", "T1059"]
    },
    {
      "step": 4,
      "cluster": "TLCTC-04.00",
      "strategic": "#4",
      "name": "Identity Theft",
      "description": "Domain administrator credentials harvested and USED for impersonation",
      "mitre_techniques": ["T1003", "T1078"],
      "note": "Credential harvesting by Trickbot is #7 (malware action). The USE of those credentials is #4."
    },
    {
      "step": 5,
      "clusters": ["TLCTC-01.00", "TLCTC-07.00"],
      "strategic": "(#1+#7)",
      "name": "Parallel Execution",
      "description": "Simultaneous lateral movement (using stolen admin credentials) and Ryuk ransomware deployment",
      "parallel_actions": {
        "TLCTC-01.00": "Abuse of legitimate AD admin functions for lateral movement",
        "TLCTC-07.00": "Ryuk ransomware execution across network"
      },
      "mitre_techniques": ["T1021", "T1486"]
    }
  ],
  "x_initial_cluster_ref": "x-threat-cluster--social-engineering-uuid",
  "x_loss_of_control": {
    "occurs_at_step": 2,
    "description": "System compromise occurs when Emotet gains execution"
  },
  "x_data_risk_events": {
    "loss_of_confidentiality": {
      "occurs_at_step": 4,
      "description": "Credentials stolen (consequence of #7 malware)"
    },
    "loss_of_availability": {
      "occurs_at_step": 5,
      "description": "Ryuk ransomware encrypts data"
    }
  },
  "x_observed_frequency": "high",
  "x_threat_actor": "TA542 (Mummy Spider)"
}

Example 2: Pegasus Zero-Click Exploit

Strategic Notation: #3→#7
Operational Notation: TLCTC-03.00→TLCTC-07.00

This represents a zero-click vulnerability (Exploiting Client) that directly leads to Malware installation without user interaction.


{
  "type": "x-attack-sequence",
  "spec_version": "2.1",
  "id": "x-attack-sequence--pegasus-zeroclick-001",
  "created": "2025-11-14T10:05:00.000Z",
  "modified": "2025-11-14T10:05:00.000Z",
  "name": "Pegasus Zero-Click (iMessage Exploit)",
  "description": "Exploitation of a zero-click client-side vulnerability in iMessage leading directly to Pegasus spyware deployment without user interaction.",
  "x_tlctc_sequence": [
    "TLCTC-03.00",
    "TLCTC-07.00"
  ],
  "x_strategic_sequence": "#3→#7",
  "x_sequence_breakdown": [
    {
      "step": 1,
      "cluster": "TLCTC-03.00",
      "strategic": "#3",
      "name": "Exploiting Client",
      "description": "Zero-click exploit in iMessage/Apple Photos app",
      "cve_examples": ["CVE-2021-30860"],
      "note": "No user interaction required - exploit triggers automatically on message receipt"
    },
    {
      "step": 2,
      "cluster": "TLCTC-07.00",
      "strategic": "#7",
      "name": "Malware",
      "description": "Pegasus spyware installation and execution",
      "capabilities": ["Surveillance", "Data exfiltration", "Communication monitoring"]
    }
  ],
  "x_initial_cluster_ref": "x-threat-cluster--exploiting-client-uuid",
  "x_zero_click_characteristic": true,
  "x_loss_of_control": {
    "occurs_at_step": 1,
    "description": "System compromise occurs when client exploit succeeds"
  },
  "x_data_risk_events": {
    "loss_of_confidentiality": {
      "occurs_at_step": 2,
      "description": "Pegasus exfiltrates messages, calls, location data"
    }
  },
  "x_observed_frequency": "medium",
  "x_threat_actor": "NSO Group clients (nation-state)"
}

Example 3: SolarWinds Supply Chain Attack

Strategic Notation: #2→#1→#10.02→#7
Operational Notation: TLCTC-02.00→TLCTC-01.00→TLCTC-10.02→TLCTC-07.00

This demonstrates #10 (Supply Chain Attack) used as a domain boundary marker within the sequence:


{
  "type": "x-attack-sequence",
  "spec_version": "2.1",
  "id": "x-attack-sequence--solarwinds-sunburst-001",
  "created": "2025-11-14T10:10:00.000Z",
  "modified": "2025-11-14T10:10:00.000Z",
  "name": "SolarWinds SUNBURST Supply Chain Compromise",
  "description": "Nation-state attack compromising SolarWinds build system to inject malicious code into legitimate software updates, affecting thousands of downstream customers.",
  "x_tlctc_sequence": [
    "TLCTC-02.00",
    "TLCTC-01.00",
    "TLCTC-10.02",
    "TLCTC-07.00"
  ],
  "x_strategic_sequence": "#2→#1→#10.02→#7",
  "x_sequence_breakdown": [
    {
      "step": 1,
      "cluster": "TLCTC-02.00",
      "strategic": "#2",
      "name": "Exploiting Server",
      "description": "Compromise of SolarWinds build system (server-side)",
      "responsibility_sphere": "attacker-to-solarwinds",
      "note": "Actions occur in SolarWinds domain"
    },
    {
      "step": 2,
      "cluster": "TLCTC-01.00",
      "strategic": "#1",
      "name": "Abuse of Functions",
      "description": "Abuse of legitimate build process to inject SUNBURST backdoor",
      "responsibility_sphere": "solarwinds",
      "note": "Still within SolarWinds domain - legitimate build functions misused"
    },
    {
      "step": 3,
      "cluster": "TLCTC-10.02",
      "strategic": "#10",
      "name": "Supply Chain Attack (Development Vector)",
      "description": "TRUST/DOMAIN BOUNDARY: Malicious update distributed to customers via legitimate update channel",
      "responsibility_sphere": "boundary-crossing",
      "note": "#10 marks where legitimate SolarWinds actions become supply-chain compromise for downstream victims",
      "boundary_explanation": "Before #10: attacker actions in SolarWinds domain. #10: trust boundary crossing. After #10: impact on customer domains."
    },
    {
      "step": 4,
      "cluster": "TLCTC-07.00",
      "strategic": "#7",
      "name": "Malware",
      "description": "SUNBURST backdoor executes in customer environments",
      "responsibility_sphere": "customer-victims",
      "note": "Actions now occur in customer domains - they are downstream victims of supply chain attack"
    }
  ],
  "x_supply_chain_boundary": {
    "marked_by": "TLCTC-10.02",
    "before_boundary": ["TLCTC-02.00", "TLCTC-01.00"],
    "boundary_description": "Legitimate update distribution channel",
    "after_boundary": ["TLCTC-07.00"],
    "responsibility_shift": "From SolarWinds domain to customer domains"
  },
  "x_affected_organizations": "~18,000 SolarWinds Orion customers",
  "x_threat_actor": "APT29 (Cozy Bear / Nobelium)"
}

Key Insight: #10 as Domain Boundary

In the SolarWinds sequence #2→#1→#10→#7, the #10 doesn't represent a separate "attack" - it marks the trust/domain transition point where:

Before #10: Actions in SolarWinds' domain (server exploit + build process abuse)
#10 itself: The trusted update channel that bridges domains
After #10: Impact on downstream customer domains (malware execution)

This notation clearly shows responsibility and control boundaries, essential for incident response and forensics.

Example 4: MFA Bombing Attack

Strategic Notation: #4→#1→#9→#4
Operational Notation: TLCTC-04.00→TLCTC-01.00→TLCTC-09.00→TLCTC-04.00

This demonstrates the dual nature of credentials and the difference between acquisition and use:


{
  "type": "x-attack-sequence",
  "spec_version": "2.1",
  "id": "x-attack-sequence--mfa-bombing-001",
  "created": "2025-11-14T10:15:00.000Z",
  "modified": "2025-11-14T10:15:00.000Z",
  "name": "MFA Bombing (MFA Fatigue Attack)",
  "description": "Attack where adversary uses stolen credentials and overwhelms user with MFA requests to achieve authentication bypass through user fatigue.",
  "x_tlctc_sequence": [
    "TLCTC-04.00",
    "TLCTC-01.00",
    "TLCTC-09.00",
    "TLCTC-04.00"
  ],
  "x_strategic_sequence": "#4→#1→#9→#4",
  "x_sequence_breakdown": [
    {
      "step": 1,
      "cluster": "TLCTC-04.00",
      "strategic": "#4",
      "name": "Identity Theft",
      "description": "Attacker has already obtained userID and password, and attempts to USE them",
      "note": "Credential acquisition occurred earlier via different cluster (e.g., #9 phishing, #7 keylogger). This step is the initial USE attempt."
    },
    {
      "step": 2,
      "cluster": "TLCTC-01.00",
      "strategic": "#1",
      "name": "Abuse of Functions",
      "description": "Repeated MFA challenge requests sent to user's device",
      "note": "Abusing legitimate MFA request functionality - no code flaw, working as designed but beyond intended scope"
    },
    {
      "step": 3,
      "cluster": "TLCTC-09.00",
      "strategic": "#9",
      "name": "Social Engineering",
      "description": "User psychologically manipulated through alert fatigue to approve authentication",
      "generic_vulnerability": "Human susceptibility to fatigue and annoyance"
    },
    {
      "step": 4,
      "cluster": "TLCTC-04.00",
      "strategic": "#4",
      "name": "Identity Theft",
      "description": "Valid MFA token obtained, completing the identity theft process",
      "note": "Second #4 represents successful completion of authentication with both factors"
    }
  ],
  "x_credential_handling": {
    "initial_acquisition": {
      "cluster": "varies",
      "examples": ["TLCTC-09.00 (phishing)", "TLCTC-07.00 (keylogger)", "TLCTC-05.00 (MitM)"],
      "consequence": "Loss of Confidentiality (data risk event)"
    },
    "credential_use": {
      "cluster": "TLCTC-04.00",
      "appears_in_sequence": ["step 1", "step 4"],
      "consequence": "Loss of Control (system compromise)"
    }
  },
  "x_notable_incidents": ["Uber breach 2022"],
  "x_mitre_techniques": ["T1078", "T1621"]
}

Integration Benefits

Standardized Threat Categorization
Provides a consistent high-level taxonomy (TLCTC-XX.YY) usable across different tools and frameworks, eliminating semantic confusion.
Clear Attack Progression
Enables explicit modeling and analysis of multi-stage attack sequences using standardized identifiers with proper notation (→ for sequential, + for parallel).
Enhanced Threat Intelligence
Facilitates richer, more structured sharing of threat information, including attack paths, domain boundaries, and targeted generic vulnerabilities.
Bridging Strategy and Operations
Connects detailed technical data (MITRE TTPs at operational level) with strategic risk concepts (TLCTC clusters) using dual notation system.
Improved Threat Hunting & Response
Allows security teams to better understand adversary goals and methods based on observed cluster sequences, with clear cause-effect separation via bow-tie model.
Control Mapping Precision
Direct mapping to NIST CSF functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) per threat cluster enables precise control implementation and gap analysis.

Implementation Guidance

For Threat Intelligence Teams

Document attack sequences using TLCTC notation (TLCTC-XX.YY→TLCTC-YY.ZZ)
Identify domain boundaries and mark with #10 where appropriate
Distinguish credential acquisition (maps to enabling cluster) from credential use (always #4)
Use parallel notation (#X+#Y) for simultaneous final-stage actions
Separate Loss of Control (system compromise) from Data Risk Events (LoC, LoI, LoA)

For SIEM/SOC Implementation

Tag MITRE techniques with corresponding TLCTC-XX.YY identifiers
Create detection rules organized by threat cluster
Track attack progression through cluster sequences
Alert on domain boundary crossings (#10 events)
Correlate events using standardized notation

For Risk Management

Map organizational controls to specific TLCTC clusters using NIST CSF functions
Assess historical incidents to identify cluster frequency patterns
Communicate risks to board using strategic notation (#X)
Track control effectiveness per cluster
Align threat intelligence with risk appetite statements

Bernhard Kreinz

Opinions are the author's own. Cite TLCTC properly when re‑using definitions.
Licensed under Creative Commons Attribution 4.0 International (CC BY 4.0).