Cyber Security (CYBER); Structured threat information sharing (with reference to ETSI TR 103 331 V2.1.1 (2022-12))
The Gap Between Title and Content: A Critical Analysis of Cyber Threat Understanding
Despite its focus on cyber security and structured threat information sharing, ETSI TR 103 331 neither provides a definition of what constitutes a cyber threat nor offers a structured categorization of cyber threats. This fundamental disconnect between title and content reflects a broader issue in the cybersecurity standards landscape.
The Standards Cross-Reference Problem
The document exemplifies a common pattern in technical standards: extensive cross-referencing of other standards and frameworks without establishing core definitions. For instance, ETSI refers to NIST's threat definition, while NIST references other frameworks. ITU-T points to IETF standards, and ISO standards reference back to these sources. This circular referencing creates an illusion of completeness while leaving fundamental questions unanswered.
Impact on Operational Reality
This lack of foundational definitions leads to a problematic situation where organizations worldwide discuss cyber threats without a shared understanding of what they're discussing. Security teams, risk managers, and executives use the same terms but may mean entirely different things. This ambiguity impacts:
- Risk Assessment accuracy
- Threat Intelligence sharing effectiveness
- Strategic security planning
- Cross-organizational collaboration
The TLCTC Solution
The Top Level Cyber Threat Clusters (TLCTC) concept addresses this gap by providing:
- A clear definition of cyber threats based on generic vulnerabilities
- A logical, non-overlapping categorization system using 10 distinct clusters
- A framework that bridges strategic and operational perspectives
Unlike the circular referencing seen in current standards, TLCTC establishes its foundation through a logical thought experiment and clear axioms. This approach breaks the cycle of undefined terms and creates a common baseline for understanding and discussing cyber threats.
By adopting such a framework, the cybersecurity community could move from talking about cyber threats in abstract, undefined terms to having structured, meaningful discussions based on shared understanding. This would significantly improve both strategic planning and operational execution in cybersecurity.
General Analysis of ETSI Documentation vs TLCTC Framework
Based on my analysis of the ETSI documentation and comparing it with the Top Level Cyber Threat Clusters (TLCTC) framework, there are several significant weaknesses in ETSI's approach to cyber threat definition and categorization:
1. Confusion Between Threats and Outcomes:
- ETSI's "general" threat categories (like "loss of accountability", "loss of availability") are actually outcomes or consequences rather than threats themselves
- This violates a key axiom that threats should be on the cause side of the bow-tie model
- They confuse what can happen (outcomes) with what causes it to happen (threats)
2. Inconsistent Categorization Logic:
- Their telecommunication-specific categories mix different conceptual levels
- For example, "Management Threats" and "System Integrity Threats" are at different levels of abstraction
- There's no clear derivation methodology explaining why these specific categories were chosen
3. Weak Threat Definition:
- ETSI's definition of a threat as something that "can lead to an unwanted incident breaking certain pre-defined security objectives" is circular and vague
- It doesn't clearly distinguish between threats, vulnerabilities, and security incidents
- It fails to focus on the exploitation of generic vulnerabilities, which is crucial for effective threat categorization
4. Mixed Risk Elements:
- Categories like "System or service Deficiencies" are control failures rather than threats
- "Threats generated by Safeguards" conflates controls with threats
- This mixing of different risk elements makes it harder to develop clear mitigation strategies
5. Lack of Attack Path Understanding:
- The framework doesn't account for how threats can be sequenced in attack paths
- There's no consideration of how different threats might be combined in sophisticated attacks
- This limits its usefulness for threat intelligence and incident response
6. Overemphasis on Industry-Specific Categories:
- While telecommunications-specific categories might seem useful, they limit the framework's broader applicability
- They focus on system types rather than underlying generic vulnerabilities
- This approach makes it harder to apply lessons learned across different domains
7. Missing Clear Vulnerability Mapping:
- There's no explicit mapping between threats and the generic vulnerabilities they exploit
- This makes it harder to implement effective controls and understand root causes
- It also complicates risk assessment and prioritization
These weaknesses make ETSI's approach less effective for practical cyber risk management and threat intelligence. A more structured approach, like the TLCTC framework, which clearly separates threats from outcomes and focuses on generic vulnerabilities, would provide a more robust foundation for cybersecurity efforts.
ETSI struggles with Cyber Threat Categorization - Linking STRIDE does not help
A historical analysis of ETSI's approach to cyber threat categorization, spanning from ETR 332 (1996) through TR 103 743 (2021), reveals persistent challenges in developing a comprehensive and logically consistent framework for categorizing cyber threats. Despite attempts to incorporate established frameworks like STRIDE, fundamental issues remain unresolved.
Historical Evolution and Persistent Issues
ETSI's early work on threat categorization, as documented in ETR 332 (1996), established patterns that continue to influence their approach today. The document introduced "general threat categories" that mixed threats with outcomes (like "loss of availability" and "loss of integrity"), setting a precedent for conceptual confusion that persists in later documents.
Fast forward to 2021, and ETSI TR 103 743's attempt to align with STRIDE demonstrates that these fundamental issues remain unresolved. While STRIDE provides a widely recognized framework, its adoption does not address the core problems in ETSI's approach to threat categorization.
Key Problems in ETSI's Current Approach
Confusion Between Threats and Outcomes
- Both early (ETR 332) and recent (TR 103 743) documents consistently mix threats with their outcomes
- The mapping to STRIDE in TR 103 743 inherits this problem, as STRIDE itself mixes actions (like Spoofing) with outcomes (like Denial of Service)
- This confusion makes it difficult to develop clear, targeted security controls
Lack of Logical Derivation
- ETSI's frameworks, including their integration with STRIDE, lack a clear methodology for deriving threat categories
- There's no systematic approach to ensure completeness in threat coverage
- The absence of a logical foundation makes it difficult to validate whether all potential threats are addressed
Missing Connection to Generic Vulnerabilities
- ETSI's categorization schemes fail to establish clear links between threats and their underlying generic vulnerabilities
- This gap makes it harder to develop comprehensive security measures
- The focus on system types rather than fundamental vulnerabilities limits the frameworks' applicability
Impact on Cybersecurity Practice
The consequences of these shortcomings are significant:
Risk Management Challenges
- Organizations struggle to develop comprehensive risk management strategies due to unclear threat categorization
- The mixing of threats and outcomes can lead to inefficient resource allocation
- Security controls may not address root causes effectively
Implementation Difficulties
- Security practitioners face challenges in translating ETSI's frameworks into actionable security measures
- The lack of clear threat-vulnerability mapping makes it harder to prioritize security investments
- Integration with existing security tools and processes becomes more complex
The Path Forward
To address these issues, ETSI would benefit from adopting an approach similar to the Top Level Cyber Threat Clusters (TLCTC) framework, which:
- Derives threats from generic vulnerabilities through a logical thought experiment
- Maintains clear separation between threats (causes) and outcomes (consequences)
- Provides a consistent methodology for ensuring completeness
Conclusion
While ETSI's attempt to incorporate STRIDE represents a step toward standardization, it does not resolve the fundamental issues in their approach to threat categorization. A more rigorous, logically-derived framework based on generic vulnerabilities would better serve the cybersecurity community's needs for comprehensive threat identification and risk management.
This historical analysis demonstrates that ETSI's challenges with threat categorization are deeply rooted and require a fundamental rethinking of their approach, rather than simple alignment with existing frameworks like STRIDE. The cybersecurity community would benefit from a more systematic and logically complete approach to threat categorization.
No additional updates are scheduled at this time.