Logo
TLCTC
Blog / Framework & Concepts

TLCTC Threat Classification Decision Tree

Quick Starter for V2.0/V2.1 — Bridge Clusters, Attack Velocity (Δt), DRE Notation, and Domain Boundaries.

BK
Bernhard Kreinz
Loading read time...
V2.0/V2.1: Topology, Time & Boundaries

1. Topology: Classify if the threat is a Bridge Cluster (#8, #9, #10) crossing a domain boundary, or an Internal Cluster (#1–#7) operating within a control regime.
2. Velocity (Δt): Measure the time between steps. VC-4 (seconds–ms), VC-3 (minutes), VC-2 (hours), VC-1 (days–months).
3. Boundary Notation: Use ||[context][@Source→@Target]|| for all bridge cluster boundary crossings. V2.1 adds transit () and intra-system (|[type]|) operators.

Visual Decision Flow

Click to Enlarge
START Human? Psychology No Yes #9 Social Engineering Bridge: Human → Cyber Physical? Hardware/Signal #8 Physical Attack Bridge: Physical → Cyber 3rd Party? Trust Bound. #10 Supply Chain Bridge: Vendor → Org MitM? #5 Man in the Middle Flooding? Exhaustion #6 Flooding Attack Creds? #4 Identity Theft Use Acquisition → Map to Enabler Foreign Code? #7 Malware Binaries, Scripts, LOLBAS Exploit Code? #2 Exploiting Server #3 Exploiting Client Logic Abuse? #1 Abuse of Functions Review
Figure 1: TLCTC Classification Flow. Bridge Clusters (#8, #9, #10) cross domain boundaries; Internal Clusters (#1–#7) operate within a control regime.

Decision Tree: Step by Step

Axiom III: Classify the Cause, Not the Outcome

“Ransomware” or “data breach” are outcomes, not clusters. Classify each step by the generic vulnerability exploited. One step = one cluster (Axiom VI).

Q1: Is this targeting Human Psychology? (Bridge)

Does it exploit trust, fear, or urgency to bypass technical controls?

YES → #9 Social Engineering (Bridge Cluster)

Crosses from Human Domain to Cyber Domain.
Examples: Phishing, Vishing, MFA Fatigue (Psychological pressure).

Q2: Is Physical Access Required? (Bridge)

Does it require touching hardware or exploiting physical layer signals?

YES → #8 Physical Attack (Bridge Cluster)

Crosses from Physical Domain to Cyber Domain.
Examples: USB insertion, Device Theft, TEMPEST.

Q3: Is a Trust Boundary Crossed? (Bridge)

Does the attack leverage implicit trust in a third-party component, update, or pipeline?

YES → #10 Supply Chain Attack (Bridge Cluster)

Crosses from Vendor Domain to Org Domain.

V2.0 Syntax: Use the ||[context][@Source→@Target]|| boundary operator.

#10 ||[dev][@Vendor→@Org]|| → #7

R-SUPPLY: #10 is placed at the Trust Acceptance Event (TAE) — the moment the trust artifact becomes authoritative inside the target domain.

Q4: Communication Interception? (Internal)

Is the attacker positioned between communicating parties within a channel?

YES → #5 Man in the Middle

Operates within the communication domain.

Q5: Resource Exhaustion? (Internal)

Is the attacker overwhelming a resource (bandwidth, CPU, memory, connections) to deny availability?

YES → #6 Flooding Attack

Operates within the target domain through resource exhaustion.
Examples: DDoS, SYN flood, application-layer flooding, amplification attacks.

Q6: Credentials? (R-CRED & Axiom X)

Credential Duality — Acquisition vs. Use are always separate steps:

  • ACQUISITION Phase: Map to the enabling cluster (e.g., #9 Phishing, #1 lsass dump, #2 SQLi). This is a Data Risk Event + [DRE: C].
  • USE Phase: ALWAYS maps to #4 Identity Theft, regardless of acquisition method (R-CRED).

Q7: Foreign Executable Content (FEC)?

Is code executing that was not part of the original system design?

YES → #7 Malware

R-EXEC: If Foreign Executable Content executes, a #7 step with fec_executed: true MUST be recorded at the execution moment.
Includes Scripts, Binaries, and LOLBAS usage (where #1 invokes the tool, and #7 executes the payload).

Q8: Exploiting Implementation Flaws?

Does it require Exploit Code to trigger a bug (buffer overflow, injection)? R-ROLE: Classify by the role of the flawed component relative to the attacker.

Server Role?
→ #2 Exploiting Server
SQLi, RCE, SSRF, deserialization.
Client Role?
→ #3 Exploiting Client
Browser exploits, malicious PDF, XSS.

Q9: Logic/Feature Abuse?

Abusing legitimate functionality without code flaws and without foreign code?

YES → #1 Abuse of Functions

Examples: Parameter tampering, API abuse, Admin config changes.

Attack Patterns & Velocity

Ransomware (VC-3/VC-4) 
#9 ||[human][@External→@Org]|| →[Δt=24h] #7 →[Δt=5m] #4 →[Δt=15m] (#1 + #7) + [DRE: Ac]
(Phishing → Malware → Cred Use → (Admin Abuse + Encryption) → Data Inaccessible)
Supply Chain (VC-1 latent) 
#1 →[Δt=weeks] #10 ||[dev][@Vendor→@Org]|| →[Δt=days] #7 + [DRE: C, I]
(Repo Abuse → Trust Acceptance Event → Malware Execution)
MFA Bombing (The Micro-Bridge) 
#4 →[Δt=1m] #1 →[Δt=5m] #9 ||[human][@External→@Org]|| → #4
(Cred Use → Abuse MFA Request → Fatigue (Social) → Token Use)

Notation Quick Reference

Operators
  • sequential step
  • (#X + #Y) parallel execution
  • →[Δt=value]→ attack velocity
  • ||[ctx][@Src→@Tgt]|| boundary crossing (bridge clusters)
Data Risk Events (DRE)
  • + [DRE: C] Confidentiality
  • + [DRE: I] Integrity
  • + [DRE: A] Availability (general)
  • + [DRE: Av] data gone/unreachable
  • + [DRE: Ac] data present but unusable (e.g., ransomware)

V2.1 Boundary Extensions

These are additive and backward-compatible with V2.0 notation.

Transit Boundary Operator (⇒)

Marks spheres that carry/relay the attack but are not the source or target.

||[human][@Attacker⇒@SMSProvider→@Victim]||

R-TRANSIT-3: Vendor code running on the target device is NOT transit. It is the attack surface (classify by R-ROLE).

Intra-System Boundary Operator (|[type]|)

Marks boundary crossings within a single host or system. Single pipe delimiters.

#3 |[sandbox][@renderer→@os]|

4 types: sandbox, privilege, process, hypervisor. R-INTRA-7: These never change cluster classification — they are observability annotations only.

References

  1. Kreinz, B. Top Level Cyber Threat Clusters (TLCTC), White Paper V2.0
  2. TLCTC Enumeration V2.0 Documentation.