Logo
TLCTC
New in V2.0 / Framework & Concepts

The Fourth Dimension of Cyber Risk: Why Attack Velocity (Δt) Defines Your True Defense Reality

Without measuring velocity, your risk register is lying to you.

BK
Bernhard Kreinz
6 min read
Executive Summary

In the Top Level Cyber Threat Clusters (TLCTC) framework, we categorize threats by their root cause (the 10 Clusters). In V2.0, we are introducing the temporal dimension (Δt). The time interval between one cluster and the next—what we call Attack Velocity—is the single most accurate predictor of attacker sophistication and the only metric that truthfully measures control effectiveness.

If you cannot measure the time between #4 Identity Theft and #2 Exploiting Server, you cannot calculate your risk.

Current cybersecurity frameworks map what happens and how it happens. But they universally ignore the physics of the attack: how fast it happens. Without measuring velocity, your risk register is lying to you.

The Hidden Variable: Sequence vs. Speed

Consider two scenarios that look identical on a "heat map" but require vastly different defensive strategies. The clusters are the same, but the velocity changes the game entirely.

Scenario A: The Nation-State (APT)

#9 → #7 → #4 → #1
Velocity:
Entry to Malware (24h) → Malware to Credential Theft (14 days) → Exfiltration (3 weeks).
Δt Profile: Slow / Latent.
The adversary prioritizes stealth over speed.
Defense:
Threat Hunting, Behavioral Analytics, Long-term Log Retention.

Scenario B: Automated Ransomware

#9 → #7 → #4 → (#1 + #7)
Velocity:
Entry to Malware (30s) → Malware to Credential Theft (2 min) → Encryption (15 min).
Δt Profile: Real-time / Fast.
The adversary prioritizes speed over stealth.
Defense:
Automated Response (SOAR), AI-driven blocking. Human analysts are too slow.
Visualization: Timeline Comparison (Conceptual Log-Scale)
        gantt
            title Attack Velocity Comparison
            dateFormat  X
            axisFormat %s
            
            section Scenario A (APT)
            Entry (#9)           :0, 40
            Dwell Time           :40, 160
            Cred Theft (#4)      :160, 200
            Latent Access        :200, 350
            Exfiltration (#1)    :350, 380

            section Scenario B (Ransomware)
            Entry (#9)           :0, 15
            Execution (#7)       :15, 30
            Creds (#4)           :30, 45
            Encryption (#1+#7)   :45, 70
*Conceptual visualization: The axis represents logarithmic magnitude (Impact/Speed), not linear seconds.

The TLCTC Temporal Notation System (V2.0)

To make this operational, we are extending the standard Attack Path Notation. We now annotate the transition arrow with the observed or estimated time delta.

1. Basic Temporal Sequence

The standard sequence with time intervals explicitly mapped:

#9 →[24h] #4 →[12m] #1

2. Integrated Sequence (with Domain Boundaries)

We can now map complex Supply Chain attacks with precision, including the dwell time within the third party. This uses the new V2.0 Domain Boundary operator ||.

Example Path 
#9 →[days] #4 →[mins] #1 ||[dev][@Vendor→@Org]|| →[weeks] #10.2 →[0s] #7

Translation: The attacker compromised a vendor using Social Engineering and Credentials (#9 → #4), abused their dev pipeline (#1), waited weeks for the build cycle (#10.2), and the moment the update was installed in your environment, malware executed instantly (#7).

The Velocity Classes

We categorize sequences into four operational velocity classes. Note: "RCE" is an outcome; the threat cause is #2 or #7.

Velocity Class Δt Range Typical Threat Clusters Control Strategy
Latent / Slow Days to Months #10 (Supply Chain), #7 (APT Implants) Log Retention, Threat Hunting
Medium Hours #9 (Phishing), #4 (Manual Cred Abuse) SIEM Alerting, Analyst Triage
Fast Minutes #3 (Exp. Client), #2 (Exp. Server) Automated Containment, EDR Blocking
Realtime Seconds / Milli #6 (Flooding), #2 (Wormable Exploits) Architecture, Hardening, Circuit Breakers

The "Detection Coverage Score": A New Metric for the Board

How do you tell the Board if you are secure? "We stopped 100 viruses" is a vanity metric. The Detection Coverage Score (DCS) is a strategic KPI derived from Attack Velocity.

DCS = (Mean Time to Detect) / (Attack Velocity Δt)
Score < 1.0 You are faster than the adversary.
(Winning)
Score > 1.0 The adversary completes the step before you detect it.
(Losing)

Example: If a Ransomware group moves from #4 Identity Theft to #1 Abuse of Functions (Admin Rights) in 10 minutes, and your SIEM alerts in 15 minutes:

DCS = 15 / 10 = 1.5. You are systematically blind to this attack. No amount of "hard work" by analysts will fix this; you need automation.

Operational Implementation: JSON Schema V2

For Security Engineering teams, we are updating the TLCTC JSON schema to support temporal analysis for TIP (Threat Intelligence Platform) ingestion.

tlctc-v2-schema.json 
{
  "attack_path_id": "APT29_campaign_2024",
  "sequence": [
    {
      "step": 1,
      "cluster": "#9",
      "description": "Spearphishing",
      "timestamp": "2024-01-15T08:00:00Z"
    },
    {
      "transition": {
        "delta_t_value": 48,
        "delta_t_unit": "hours",
        "velocity_class": "slow"
      }
    },
    {
      "step": 2,
      "cluster": "#7",
      "description": "Cobalt Strike Beacon",
      "timestamp": "2024-01-17T08:00:00Z"
    }
  ]
}

The Strategic Imperative: A Call for Global Harmonization

The introduction of Attack Velocity (Δt) and Explicit Domain Boundaries (||) exposes a fundamental truth: our current industry standards are excellent at describing components of risk, but they lack the unified physics to describe the motion of risk.

To achieve true cyber resilience, we don't need to replace existing frameworks; we need to anchor them to a consistent causal reality. The TLCTC framework serves as this anchor. Here is our open call to the major players in the field.

1. To NIST (National Institute of Standards and Technology)

Current State: The NIST Cybersecurity Framework (CSF 2.0) is the gold standard for Governance. However, the "Threats" input for the ID.RA (Risk Assessment) category remains undefined, leaving organizations to invent their own taxonomies.

  • Adoption: Formally adopt the 10 TLCTC Clusters as the standard taxonomy for Threat Identification.
  • The Velocity Value: By mapping NIST Controls to specific TLCTC Clusters, organizations can move from static maturity ("Do we have a firewall?") to dynamic performance ("Does our firewall control reduce the Δt of #6 Flooding to near-zero?").

2. To MITRE (ATT&CK and D3FEND)

Current State: MITRE ATT&CK is the definitive encyclopedia of Tactics, Techniques, and Procedures. It is unparalleled in operational detail but often conflates cause (Exploitation) with effect (Execution).

  • Adoption: Map every Technique to a primary TLCTC Cluster based on the Generic Vulnerability exploited. (e.g., Map T1190 strictly to #2 Exploiting Server).
  • The Velocity Value: Add "Typical Velocity" attributes to Techniques. This transforms ATT&CK from a heatmap of "what happened" into a timeline of "how fast it happens."

3. To Regulators (EU DORA, NIS2, SEC)

Current State: New regulations mandate strict incident reporting, but often accept free-text descriptions like "We suffered a ransomware attack," which is analytically useless for cross-border comparison.

  • Adoption: Mandate TLCTC Standardized Attack Path Notation for incident reporting.
  • The Syntax: Require reports to look like: #9 → #4 ||[idp]|| → #1.
  • The Value: This allows regulators to instantly aggregate data: "Across the EU financial sector, Supply Chain identity delegations have a median velocity of 4 minutes."

4. To Supply Chain & SCA Vendors

Current State: Tools flag vulnerabilities (CVEs) but often fail to contextually map how trust is bridged.

  • Adoption: Use the Explicit Boundary Operator || to visualize risk.
  • The Value: Differentiate between a "vulnerable library" (#2 Exploiting Server) and a "trust transition" (#10.2 ||[dev]||). One requires a patch; the other requires a Zero Trust architecture change.

Conclusion: Time is the Only Differentiator

In the TLCTC framework, we strip away the noise. Axiom I tells us what the threat is. Axiom VIII tells us the sequence. V2.0 Velocity tells us the reality.

By measuring Δt, we move cyber defense from a guessing game to a calculable engineering problem. We stop asking "Can we detect this?" and start asking "Can we detect this in time?"