Executive Summary
This analysis evaluates the Vocabulary for Event Recording and Incident Sharing (VERIS) framework through the axiomatic definitions and classification logic of the Top Level Cyber Threat Clusters (TLCTC) framework, version 2.0.
Key Findings
Definitional Divergence: VERIS is designed for incident description — it captures what happened using its A4 model (Actor, Action, Asset, Attribute). TLCTC is designed for incident explanation — it categorizes why it happened by identifying the generic vulnerability exploited at each attack step. VERIS's "Action" conflates TTPs, mechanisms, and sometimes outcomes in a single descriptive layer. TLCTC enforces strict separation between causes (Threat Clusters), the central event (Loss of Control / System Compromise), and effects (Data Risk Events).
Logical Model Differences: VERIS follows a descriptive, flat schema. TLCTC is built on an axiomatic, causal Bow-Tie model with normative rules. From TLCTC's perspective, VERIS conflates cause-side and effect-side elements: it records actions (causes) alongside attributes (effects) at the same structural level without enforcing causal hierarchy.
Category Overlap vs. Non-Overlap: VERIS action varieties can overlap and mix levels of abstraction — a single incident record may list "Phishing," "Use of stolen creds," and "Ransomware" as co-equal actions. TLCTC requires mutual exclusivity at the strategic level: each attack step maps to exactly one cluster based on the generic vulnerability exploited (Axiom VI), and multi-step complexity is handled through ordered attack path sequences (Axiom IX).
Causal Clarity and Detection Windows: TLCTC's Bow-Tie explicitly distinguishes the Loss of Control event (system compromise) from subsequent Data Risk Events (Loss of Confidentiality, Integrity, Accessibility, or Availability). This structural separation reveals detection windows — the interval between compromise and data impact where intervention remains possible. VERIS captures C/I/A loss via its Attribute dimension but does not structurally enforce this temporal-causal separation.
Velocity and Temporal Analysis: TLCTC v2.0 introduces Attack Velocity (Δt) as a formal edge property between attack steps, with four Velocity Classes (VC-1 through VC-4) that determine which control types are structurally viable. VERIS captures timeline data but lacks a formal model connecting attack speed to defensive feasibility.
Domain Boundary Awareness: TLCTC v2.0 introduces Domain Boundary Operators that formally mark where an attack path crosses responsibility spheres (e.g., from vendor to organization, from physical to cyber domain). VERIS records assets and actors but does not formalize the concept of domain crossings or responsibility transitions in attack sequences.
Key Recommendations
- Employ TLCTC as the strategic categorization layer for threat analysis, causal reasoning, and risk management, leveraging its definitional rigor, Bow-Tie structure, and axiomatic consistency.
- Utilize VERIS for detailed operational data capture — actors, specific action varieties/vectors, assets, impact quantification, and timeline information.
- Integrate the frameworks by mapping VERIS action varieties to their corresponding TLCTC clusters based on the generic vulnerability exploited, applying TLCTC's R-* classification rules for precision.
- Structure incident analysis using the TLCTC Bow-Tie model and attack path notation to impose causal order on VERIS-recorded data, including velocity annotations and domain boundary markers.
VERIS Overview
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a standardized schema designed to provide a common language for describing security incidents. Its core purpose is to enable consistent data collection, facilitate analysis, trending, and sharing of anonymized incident information. VERIS is the foundation of the annual Verizon Data Breach Investigations Report (DBIR).
VERIS structures incident descriptions around four primary dimensions, known as the "A4" model:
| A4 Component | Description | Examples |
|---|---|---|
| Actors | Identifies who acted in the incident | External (nation-state, criminal), Internal (end-user), Partner, Unknown |
| Actions | Describes what the actors did | Malware, Hacking, Social, Misuse, Physical, Error, Environmental |
| Assets | Specifies what organizational assets were affected | Servers, Networks, User Devices, People, Data |
| Attributes | Details how the assets were compromised | Confidentiality, Integrity, and Availability (C/I/A) |
Additionally, VERIS includes fields for timeline, discovery methods, impact assessment (including financial loss estimation), and victim demographics.
Detailed Analysis
Definitional Clarity
| Concept | VERIS Definition | TLCTC v2.0 Definition |
|---|---|---|
| Threat | Embodied in Action (e.g., Hacking, Malware, Social) and Actor categories — describes what action was performed and by whom. | An initiating force that exploits a generic vulnerability and can trigger the central event (Loss of Control). Implemented as 10 Threat Clusters, each defined by exactly one generic vulnerability. Threats are on the cause side of the Bow-Tie and are NOT outcomes, actors, or control failures. |
| Vulnerability | Not a core structural element. Specific CVEs can be linked under action types, but the framework is not organized around vulnerability categories. | The defining structural element. Each cluster is anchored to exactly one generic vulnerability — the root weakness that makes exploitation possible. Generic vulnerabilities are stable across technologies and implementations. |
| Incident | The central concept — a record capturing A4 elements, timeline, impact, etc. | The central event in the Bow-Tie: Loss of Control (LoC) / System Compromise — the point at which the attacker achieves unauthorized control sufficient to pursue attack objectives. Positioned before outcomes. |
| Risk | Not defined within the A4 model. Addressed through consequences captured in Attribute and Impact sections. | Likelihood of a Threat Cluster exploitation leading to impact, structured as: Threat → Event/Incident → Consequences. |
| TTP | Captured at the same level as high-level action categories within the Action dimension (action.variety, action.vector). | Belongs to the Operational Security Layer (Axiom VIII). TTPs are specific instances categorized under the broader strategic clusters. TLCTC enforces separation between the Strategic Management Layer (10 clusters, stable) and the Operational Security Layer (concrete CVEs, techniques — evolving). |
Core Misalignment: The fundamental divergence lies in the organizing principle. VERIS organizes around observed incident characteristics (A4). TLCTC organizes around the generic vulnerability being exploited at each step (the "why"). VERIS's Action dimension often captures how an attack occurred (TTPs/mechanisms), whereas TLCTC's Cluster identifies what fundamental weakness allowed it.
Alignment: Both aim to structure security event information. VERIS's Attribute dimension (C/I/A) aligns conceptually with TLCTC's Data Risk Events on the consequence side of the Bow-Tie. VERIS's Actor separation aligns with TLCTC's Axiom IV (Threats Are Not Threat Actors), which excludes actor identity from threat categorization.
Logical Consistency
VERIS Consistency: VERIS is internally consistent within its descriptive A4 model. It provides a repeatable structure for cataloging who did what to what, and how it was affected.
TLCTC Axiomatic Foundation: TLCTC derives its consistency from ten non-negotiable axioms organized into four groups:
- Scope Axioms (I–II): No system-type differentiation; client–server as universal interaction model.
- Separation Axioms (III–V): Threats are causes, not outcomes; threats are not threat actors; control failure is not a threat.
- Classification Axioms (VI–VIII): One step = one generic vulnerability = one cluster; attack vectors defined by initial generic vulnerability; strategic vs. operational layering.
- Sequence Axioms (IX–X): Clusters chain into attack paths with velocity; credentials have dual operational nature (acquisition vs. application).
Evaluation from TLCTC Perspective: VERIS is pragmatic and descriptive; it is not axiomatically derived. From the TLCTC viewpoint, VERIS commits several structural conflations:
Causes and Effects at the Same Level: VERIS records Action (cause-side: what the attacker did) alongside Attribute (effect-side: what happened to C/I/A) as co-equal dimensions of the same incident record. The TLCTC Bow-Tie normatively requires that these remain structurally distinct — threats on the left (cause) side, consequences on the right (effect) side, with Loss of Control as the central pivot.
Threats and Mechanisms Not Separated by Generic Vulnerability: VERIS action varieties describe TTPs and mechanisms without isolating the type of vulnerability targeted as the primary classification axis. TLCTC's Axiom VI mandates that every attack step maps to exactly one cluster based on the generic vulnerability exploited.
No Causal Hierarchy Enforcement: VERIS records multiple actions for a single incident without enforcing which action exploited which vulnerability in which order. TLCTC's attack path notation with the sequence operator (→) enforces explicit causal ordering.
A phishing attack leading to credential theft and server access via those credentials. VERIS records: action.social (Phishing), action.hacking (Use of stolen creds). Both appear as peer-level "actions." TLCTC decomposes this as a formally ordered sequence: #9 (Social Engineering — exploiting human psychological factors) →[Δt=24h] #4 (Identity Theft — attacker presents stolen credentials to authenticate). Each step exploits a different generic vulnerability, and R-CRED normatively governs the classification: credential acquisition maps to the enabling cluster (#9), while credential application always maps to #4.
Non-Overlapping Categories
VERIS Categories:
- The top-level A4 dimensions (Actor, Action, Asset, Attribute) are definitionally distinct from each other.
- Within Action, the primary types (Malware, Hacking, Social, Misuse, Physical, Error, Environmental) aim for distinction, but a single incident frequently involves multiple types, which VERIS records as co-occurring.
- The
action.varietyenumerations can overlap depending on interpretation — for instance, "exploitation of vulnerability" could mean different things depending on context. - VERIS mixes levels of abstraction: high-level action types, specific action.variety TTPs, and implicit outcome-flavored categories coexist in the same descriptive space.
TLCTC Approach:
- TLCTC enforces mutual exclusivity at the strategic level through Axiom VI: each attack step maps to exactly one cluster based on exactly one generic vulnerability.
- Multi-step complexity and apparent overlap are handled through attack path sequences (Axiom IX). What looks like "overlap" is actually distinct steps in a causal chain: #9 → #4 → #1 → #7, where each step exploits a different generic vulnerability.
- Ambiguity is resolved through tie-breaker rules and the R-* global mapping rules (R-ROLE, R-CRED, R-EXEC, R-FLOOD, R-ABUSE, R-HUMAN, R-PHYSICAL, R-MITM, R-SUPPLY), which provide normative decision logic for classification edge cases.
- TLCTC maintains a clear separation between the Strategic Management Layer (clusters #1–#10, stable) and the Operational Security Layer (TLCTC-XX.YY sub-threats, concrete CVEs and TTPs — evolving), per Axiom VIII.
- Topology classification further structures the clusters: seven internal clusters (#1–#7, operating within the software domain's technical attack surfaces) and three bridge clusters (#8, #9, #10 — enabling crossing into or leveraging over a different domain's control regime).
Evaluation: VERIS action varieties exhibit overlap and mixed abstraction. TLCTC's focus on unique generic vulnerabilities per cluster, combined with R-* rules, tie-breakers, and the sequence operator, enforces non-overlap at the strategic level while providing clear, auditable classification logic.
System Compromise vs. Data Risk Events
VERIS Handling:
- System Compromise: Captured implicitly through the combination of Action (e.g., Malware, Hacking) affecting an Asset (e.g., Server, Endpoint). There is no single field or structural concept explicitly labeling "System Compromise" or "Loss of Control."
- Data Risk Events: Captured via the Attribute dimension (Confidentiality, Integrity, Availability) and detailed sub-fields. The Impact section quantifies the result.
TLCTC Bow-Tie Model:
- Left (Cause) Side: Threat Cluster exploitation — the attack steps, each exploiting a specific generic vulnerability.
- Central Event (Knot): Loss of Control / System Compromise — the decisive moment where the attacker achieves unauthorized control.
- Right (Effect) Side: Consequences — Data Risk Events (Loss of Confidentiality, Loss of Integrity, Loss of Accessibility, Loss of Availability) and subsequent business risk events.
Crucially, TLCTC recognizes that the Loss of Control event can precede the Data Risk Event in time, creating a detection window — the operational interval between system compromise and data impact where intervention (DETECT, RESPOND) is still possible.
TLCTC v2.0 — Four Data Risk Events (not three):
A critical distinction VERIS does not make is between Accessibility and Availability:
| Data Risk Event | Definition | Example |
|---|---|---|
| Loss of Confidentiality (LoC) | Unauthorized disclosure — data exposed to unauthorized parties | Database breach, credential theft |
| Loss of Integrity (LoI) | Unauthorized modification — data altered without authorization | Website defacement, backdoor insertion |
| Loss of Accessibility (LoAc) | Data exists but cannot be accessed in usable form; system may be operational | Ransomware encryption — server runs, files locked |
| Loss of Availability (LoAv) | System/service is down or unreachable entirely | DDoS — server offline, all users affected |
VERIS uses a traditional C/I/A triad that conflates Accessibility and Availability. TLCTC separates them because the distinction has direct operational consequence: ransomware causes Loss of Accessibility (data present but unusable), not Loss of Availability (system down). This distinction matters for control selection — backups address LoAc; failover and capacity address LoAv.
Assessment: VERIS effectively records that data compromise occurred and what actions were involved. TLCTC provides the structural apparatus to distinguish when system compromise occurred relative to data impact, enabling detection window analysis and velocity-appropriate control selection.
Attack Velocity and Temporal Analysis
VERIS Timeline: VERIS includes timeline fields capturing when actions occurred, when the incident was discovered, when containment began, etc. This provides useful operational chronology but is purely descriptive — it does not connect temporal data to defensive feasibility.
TLCTC v2.0 Attack Velocity: TLCTC v2.0 formalizes the temporal dimension through Attack Velocity (Δt) — the time interval between adjacent attack steps in a path. Δt is an edge property attached to the sequence operator:
#9 →[Δt=24h] #4 →[Δt=5m] #1 →[Δt=0s] #7This notation reads: phishing succeeded, then 24 hours later stolen credentials were used (#4), 5 minutes later legitimate functions were abused (#1), and immediately (0 seconds) malware executed (#7).
Velocity Classes categorize these intervals into defender-feasible response modes:
| Velocity Class | Δt Range | Defender Response Mode | Example Controls |
|---|---|---|---|
| VC-1: Strategic | Days → Months | Log retention, threat hunting, strategic monitoring | SIEM correlation, threat intelligence |
| VC-2: Tactical | Hours | SIEM alerting, analyst triage, guided response | SOC workflow, playbook execution |
| VC-3: Operational | Minutes | Automation (SOAR/EDR), rapid containment, prebuilt playbooks | Automated isolation, EDR blocking |
| VC-4: Real-Time | Seconds → Milliseconds | Architecture & circuit breakers, rate-limits, hardening | WAF rules, automatic isolation, hardening |
Attack velocity determines which control types are structurally viable. A VC-4 transition (seconds between steps) cannot be addressed by analyst triage (VC-2 control) — only architectural controls or automation can intervene at that speed. This is information VERIS captures (timeline data exists) but does not formalize into actionable defensive logic.
Synergy: VERIS timeline data can be enriched by mapping it to TLCTC velocity annotations. An organization recording VERIS incidents could derive Δt values between mapped TLCTC steps and aggregate them into velocity profiles per attack pattern, informing control investment decisions.
Domain Boundaries and Responsibility Spheres
VERIS Handling: VERIS records Actors (external, internal, partner) and Assets, which implicitly captures some domain information. However, it does not formalize the concept of domain transitions within an attack sequence.
TLCTC v2.0 Domain Boundary Operators: TLCTC v2.0 introduces formal notation for marking where an attack path crosses responsibility spheres — organizational boundaries where different control regimes, policies, and teams apply:
#9 ||[phishing][@External→@Org]|| → #4 →[Δt=2h] #1 ||[cloud-admin][@Org→@CloudProvider]|| → #7This notation explicitly marks: social engineering crossed from the external domain into the organization's domain; later, function abuse crossed from the organization into the cloud provider's control regime.
Bridge clusters (#8 Physical Attack, #9 Social Engineering, #10 Supply Chain Attack) have a special structural property: their generic vulnerability inherently enables crossing into a different domain's control regime. This is a topological insight — these three clusters are the "doors" between domains.
Assessment: VERIS captures who (actor type) and what (asset type) but not the structural transitions between domains of control. TLCTC's domain boundary operators enable precise mapping of where responsibility changes hands in an attack sequence, which is critical for incident coordination, legal attribution, and multi-party response.
Potential Synergies
| VERIS Strengths Enhancing TLCTC | TLCTC Principles Addressing VERIS Limitations |
|---|---|
Operational Granularity: VERIS's rich action.variety and action.vector enumerations provide the detailed evidence needed to populate TLCTC's operational layer (Axiom VIII). |
Strategic Framework: TLCTC provides a non-overlapping, vulnerability-based strategic categorization layer that VERIS lacks natively. |
| Data Schema Maturity: VERIS provides a proven, practical schema for capturing raw incident details across thousands of organizations. | Causal Structure: The TLCTC Bow-Tie imposes rigorous causal logic that structures and clarifies relationships between VERIS-recorded elements. |
| Impact Quantification: VERIS's structured impact section (financial loss estimation, timeline metrics) is more detailed than TLCTC's general consequence categories. | Definitional Rigor: Applying TLCTC's definitions and R-* rules resolves the ambiguity and conflation inherent in interpreting VERIS data. |
| Timeline Data: VERIS captures detailed chronology that can feed TLCTC velocity analysis. | Root Cause Focus: TLCTC guides analysis toward the initial generic vulnerability exploited, preventing the common trap of focusing on outcomes. |
| Community Adoption: VERIS has broad industry adoption through the DBIR ecosystem. | Velocity-Informed Control Selection: TLCTC's Δt and Velocity Classes connect attack speed to structurally viable defenses — logic VERIS timeline data can feed but cannot itself provide. |
Strategic Risk Management Integration
VERIS Integration Challenge: VERIS data reveals operational trends — common actions, actors, assets, and impacts. This informs risk management by highlighting control weaknesses and quantifying losses. However, aggregating this detailed, event-focused data into strategic risk categories aligned with fundamental threat types (rather than specific actions or outcomes) requires significant interpretation. VERIS lacks a built-in, repeatable mechanism for this strategic translation.
TLCTC Strategic Design: TLCTC is explicitly designed to bridge strategic and operational levels through its two-layer architecture (Axiom VIII):
- Strategic Management Layer (clusters #1–#10): Stable, high-level taxonomy suitable for defining risk appetite per threat type, aligning resource allocation based on exposure to fundamental vulnerabilities, and communicating risk posture to leadership.
- Operational Security Layer (TLCTC-XX.YY sub-threats): Concrete techniques, CVEs, and procedures used in detection, response, and engineering.
This enables organizations to:
- Define strategic risk appetite per Threat Cluster
- Align resource allocation based on exposure to generic vulnerabilities
- Communicate cyber risk posture to leadership using 10 manageable categories
- Map controls to their Bow-Tie position (preventive vs. detective/corrective)
- Use NIST CSF functions as a control overlay mapped to cluster positions
Case Study
Scenario: Phishing Email Leads to Credential Theft and Ransomware Deployment
A targeted phishing email tricks an employee into entering credentials on a convincing fake login page. The attacker uses those credentials to log into the organization's VPN, then accesses a file server using legitimate administrative functions, and finally deploys ransomware that encrypts critical business files.
VERIS Analysis
| Dimension | Recording |
|---|---|
| Actor | External (Organized Crime, Financial motive) |
| Actions | Social (Phishing, Email vector); Hacking (Use of stolen creds, Remote access); Malware (Ransomware, Downloaded/Launched) |
| Assets | People (Employee); Data (Credentials); Server (File Server); Data (Business Files) |
| Attributes | Confidentiality (Credentials disclosed); Integrity (Software installed on server); Availability (Files encrypted) |
| Impact | Financial (Response costs, Ransom demand), Operational disruption |
TLCTC v2.0 Analysis
Attack Path Notation:
#9 →[Δt=24h] #4 →[Δt=10m] #1 →[Δt=0s] #7Step-by-step decomposition using R-* rules:
| Step | Cluster | Generic Vulnerability | Classification Rationale |
|---|---|---|---|
| Phishing email tricks employee into entering credentials on fake login page | #9 Social Engineering | Human psychological factors | R-HUMAN: The attacker's advantage comes from psychological manipulation. The credential capture is a consequence of #9 (credential acquisition maps to the enabling cluster per R-CRED). |
| Attacker presents stolen credentials to VPN authentication | #4 Identity Theft | Weak identity-artifact binding / credential lifecycle | R-CRED: Credential application — presenting credentials to authenticate — MUST always map to #4. This is the use step, not the acquisition step. |
| Attacker uses legitimate admin functions to access file server | #1 Abuse of Functions | Scope/trust designed into software functionality | R-ABUSE: No implementation flaw required — the attacker abuses intended administrative functionality via standard interfaces. |
| Ransomware payload executes on file server | #7 Malware | Designed execution capability for untrusted content | R-EXEC: Foreign Executable Content is executed — a #7 step MUST be recorded at the moment of execution, independent of how execution was enabled. |
Central Event: Loss of Control — account compromised (#4), then server compromised (#1/#7).
Data Risk Events (Consequence Side):
- LoC (Loss of Confidentiality): Credentials disclosed during phishing (consequence of #9 step).
- LoI (Loss of Integrity): Unauthorized software installed on server (consequence of #7 step).
- LoAc (Loss of Accessibility): Files encrypted by ransomware — server operational but data unusable. Note: this is not Loss of Availability (LoAv). The server is still up; the data is inaccessible due to encryption.
Domain Boundary Notation (full path with boundaries):
#9 ||[phishing][@Attacker→@Org]|| →[Δt=24h] #4 →[Δt=10m] #1 →[Δt=0s] #7 + [DRE: C, I, Ac]Velocity Analysis:
- #9 → #4: Δt=24h (VC-1/Strategic) — Threat hunting or anomaly detection on credentials could intervene. Detection of credential use from unusual location is viable.
- #4 → #1: Δt=10m (VC-3/Operational) — Automated detection (EDR/SIEM) and containment playbooks are the viable response mode.
- #1 → #7: Δt=0s (VC-4/Real-Time) — Only architectural controls (application whitelisting, code signing, execution restrictions) can prevent this transition. Human analyst response is structurally impossible at this speed.
Comparative Insight
| Dimension | VERIS | TLCTC v2.0 |
|---|---|---|
| What it tells you | Detailed inventory of actions, assets, and impacts. Describes what happened. | Causal chain based on exploited generic vulnerabilities. Explains why it happened. |
| Credential handling | Records "Phishing" and "Use of stolen creds" as peer-level actions. | Separates credential acquisition (#9 — phishing made it possible) from credential application (#4 — attacker authenticated) per R-CRED and Axiom X. |
| Ransomware classification | Records "Ransomware" as an action variety. | "Ransomware" is an outcome label. The threat steps are #1 (abusing file system functions) and #7 (executing foreign code). The consequence is LoAc. |
| Temporal intelligence | Records timeline (when events occurred). | Formalizes velocity (Δt) between steps and maps to defensive feasibility classes (VC-1 through VC-4). |
| Strategic consequence | Shows peaks in "Phishing" and "Ransomware" — might lead to investment in email filters and AV. | Reveals vulnerabilities in human factors (#9), credential lifecycle (#4), functional scope (#1), and execution controls (#7) are being chained. Each step is an intervention point with velocity-appropriate controls. |
Mapping VERIS Action Categories to TLCTC Clusters
A systematic mapping between VERIS's action categories and TLCTC's Threat Clusters provides the operational-to-strategic bridge essential for integration. This mapping applies TLCTC's R-* classification rules for precision.
| VERIS Action Category | Primary TLCTC Cluster | Generic Vulnerability | Classification Rule |
|---|---|---|---|
| Social | |||
| Phishing | #9 Social Engineering | Human psychological factors | R-HUMAN: Advantage from psychological manipulation → #9 |
| Pretexting | #9 Social Engineering | Human psychological factors | R-HUMAN |
| Bribery | #9 Social Engineering | Human psychological factors | R-HUMAN |
| Hacking | |||
| SQL Injection | #2 Exploiting Server | Server-side code implementation flaws | R-ROLE: Server processes attacker's request → #2. If SQLi triggers xp_cmdshell → #2 → #7 per R-EXEC |
| XSS (Reflected/Stored) | #2 Exploiting Server (flaw) → #3/#7 (execution) | Server-side flaw enables client-side impact | The flaw is server-side (#2). If the XSS payload executes as FEC in the victim's browser, R-EXEC requires a #7 step. |
| Brute Force | #1 Abuse of Functions (attempt) → #4 Identity Theft (use) | Functional scope (#1), credential lifecycle (#4) | The brute force attempt abuses the login function's intended capability (#1 per R-ABUSE). If it succeeds, the use of the cracked credential → #4 per R-CRED. |
| Use of stolen creds | #4 Identity Theft | Weak identity-artifact binding | R-CRED: Credential application MUST always map to #4. The acquisition method maps to its own enabling cluster. |
| Exploitation of vulnerability | #2 or #3 (context-dependent) | Code implementation flaws | R-ROLE: Server-role component → #2; client-role component → #3. If exploitation results in FEC execution → append → #7 per R-EXEC. |
| Malware | |||
| Ransomware | #7 Malware | Designed execution capability | R-EXEC: FEC execution → #7. The consequence (encrypted files) is LoAc, not a threat category. |
| Backdoor | #7 Malware | Designed execution capability | R-EXEC |
| Spyware / Keylogger | #7 Malware | Designed execution capability | R-EXEC. If keylogger captures credentials, that's credential acquisition via #7. Subsequent credential use → #4. Path: #7 → #4 per R-CRED. |
| RAM scraper | #7 Malware | Designed execution capability | R-EXEC |
| Physical | |||
| Theft | #8 Physical Attack | Physical accessibility/interference | R-PHYSICAL: Advantage from physical interaction → #8. Bridge cluster. |
| Tampering | #8 Physical Attack | Physical accessibility/interference | R-PHYSICAL. If tampering leads to subsequent technical exploitation, separate steps apply: #8 → #2/#7/etc. |
| Misuse | |||
| Privilege abuse | #1 Abuse of Functions | Functional scope/trust | R-ABUSE: Using legitimate access for unauthorized purposes via standard interfaces → #1. |
| Error / Environmental | |||
| Misconfiguration | Not a threat cluster | N/A | Per Axiom V: Control failure is not a threat. Misconfiguration enables exploitation but is not itself a TLCTC threat. |
| Environmental | Outside TLCTC scope | N/A | TLCTC classifies adversarial cyber threats. Environmental events are non-adversarial and outside scope. |
Critical Mapping Considerations
Context Sensitivity and R-* Rules: Some VERIS action varieties require contextual analysis and application of specific R-* rules to determine the correct TLCTC cluster. "Exploitation of vulnerability" is a common example — it maps to #2 or #3 depending on role determination (R-ROLE), and may chain to #7 if foreign executable content is executed (R-EXEC).
Credential Dual Nature (Axiom X, R-CRED): This is the most common source of misclassification. VERIS records "Use of stolen creds" as a single hacking action. TLCTC requires separating:
- Credential acquisition (how were they obtained?) → Maps to the enabling cluster (#9 for phishing, #2 for server-side disclosure, #7 for keylogger, #5 for MitM interception, #8 for physical theft)
- Credential application (how were they used?) → MUST always map to #4 Identity Theft
When both occur, they MUST be represented as at least two steps: (enabling cluster) → #4.
Attack Sequencing: VERIS may record multiple actions for a single incident. TLCTC requires determining which action is the initial vector, which are follow-on steps, and what the causal order is. The TLCTC attack path sequence (Axiom IX) imposes this structure.
Outcome Labels Are Not Clusters: VERIS action varieties like "Ransomware" describe a tool/outcome hybrid. In TLCTC, "ransomware" is not a valid threat category — it's a description of an outcome (LoAc) and possibly a tool (#7). The actual threat path might be #9 → #4 → (#1 + #7) with LoAc as the consequence.
Bridge vs. Internal Topology: VERIS actions like Social, Physical, and supply-chain-related incidents map to TLCTC's bridge clusters (#8, #9, #10), which have a special structural property: they enable domain crossings. This topology information can enrich VERIS analysis by highlighting where responsibility spheres change.
Integration Recommendations
- Adopt TLCTC for Strategic Categorization: Use the 10 TLCTC clusters as the authoritative high-level framework for categorizing threats based on the root generic vulnerability exploited. This layer is essential for strategic risk management, board communication, and comparable incident documentation.
- Map VERIS Detail to TLCTC Operational Layer: Treat VERIS
action.varietyandaction.vectordata as Tactics, Techniques, and Procedures that fall within the TLCTC Operational Security Layer (Axiom VIII). Apply R-* rules for precise classification. Maintain a mapping dictionary as outlined in the mapping section above. - Utilize VERIS for Data Capture: Leverage the comprehensive VERIS schema for detailed, consistent recording of incident specifics (Actors, Actions, Assets, Attributes, Timeline, Discovery, Impact).
- Structure Analysis with TLCTC Bow-Tie: When analyzing incidents recorded via VERIS, apply the TLCTC Bow-Tie:
- Identify the initiating TLCTC cluster(s) and build the full attack path sequence.
- Pinpoint the Loss of Control / System Compromise event (the Bow-Tie central event).
- Map VERIS Attribute and Impact data to the consequence side as Data Risk Events (LoC, LoI, LoAc, LoAv).
- Derive velocity annotations (Δt) from VERIS timeline data and assign Velocity Classes.
- Identify domain boundary crossings using TLCTC's bridge cluster topology.
- Dual-Layer Reporting:
- Operational reports: Use granular VERIS data for SOC-level trending, detection engineering, and incident response.
- Strategic reports: Aggregate VERIS incident frequency and impact by mapped TLCTC cluster. Include velocity profiles and domain boundary analysis for leadership dashboards.
- Enrich VERIS Records with TLCTC Fields: Enhance VERIS implementations by adding custom fields:
plus.tlctc_primary_cluster— The initiating TLCTC cluster.plus.tlctc_attack_path— Full attack path sequence (e.g., "#9 → #4 → #1 → #7").plus.tlctc_velocity_class— Dominant velocity class of the attack.plus.tlctc_domain_crossings— Domain boundaries crossed during the incident.plus.tlctc_data_risk_events— Specific DREs: LoC, LoI, LoAc, LoAv.
- Maintain a Living Mapping Reference: Develop and maintain an organization-specific reference mapping VERIS action varieties to TLCTC clusters, updated regularly as new techniques emerge and R-* rules are applied to new edge cases.
Conclusion
VERIS and TLCTC offer distinct but highly complementary capabilities. VERIS provides an invaluable, battle-tested schema for describing the observable characteristics of security incidents — it excels at answering what happened. TLCTC, grounded in ten non-negotiable axioms and organized around generic vulnerabilities, delivers a logically consistent, non-overlapping framework for understanding why it happened — identifying the fundamental weaknesses that made each attack step possible.
The integration of these frameworks creates capabilities neither possesses alone:
VERIS without TLCTC produces detailed incident inventories that require significant interpretation to yield strategic insight. Trends in "phishing" and "ransomware" actions describe symptoms without exposing the underlying vulnerability chain.
TLCTC without VERIS provides powerful causal logic and strategic categorization but lacks a mature, widely-adopted operational data capture schema.
Together, VERIS supplies the operational evidence while TLCTC provides the causal grammar. VERIS timeline data feeds TLCTC velocity analysis. VERIS actor and asset information enriches TLCTC domain boundary mapping. TLCTC's Bow-Tie structures VERIS data into cause → event → consequence chains. TLCTC's R-* rules resolve the classification ambiguities inherent in VERIS's descriptive approach.
The result is an analytical capability that transforms incident recording from description into explanation — connecting granular operational data to strategic risk management through a shared, cause-oriented taxonomy that remains stable as specific threats evolve.
Analysis based on TLCTC v2.0 White Paper. VERIS schema documentation available at veriscommunity.net.