Barnes Projects Logo

Barnes Projects

Cyber Security (CYBER); Structured threat information sharing (with reference to ETSI TR 103 331 V2.1.1 (2022-12))

The Gap Between Title and Content: A Critical Analysis of Cyber Threat Understanding

Despite its focus on cyber security and structured threat information sharing, ETSI TR 103 331 neither provides a definition of what constitutes a cyber threat nor offers a structured categorization of cyber threats. This fundamental disconnect between title and content reflects a broader issue in the cybersecurity standards landscape.

The Standards Cross-Reference Problem

The document exemplifies a common pattern in technical standards: extensive cross-referencing of other standards and frameworks without establishing core definitions. For instance, ETSI refers to NIST's threat definition, while NIST references other frameworks. ITU-T points to IETF standards, and ISO standards reference back to these sources. This circular referencing creates an illusion of completeness while leaving fundamental questions unanswered.

Impact on Operational Reality

This lack of foundational definitions leads to a problematic situation where organizations worldwide discuss cyber threats without a shared understanding of what they're discussing. Security teams, risk managers, and executives use the same terms but may mean entirely different things. This ambiguity impacts:

The TLCTC Solution

The Top Level Cyber Threat Clusters (TLCTC) concept addresses this gap by providing:

  1. A clear definition of cyber threats based on generic vulnerabilities
  2. A logical, non-overlapping categorization system using 10 distinct clusters
  3. A framework that bridges strategic and operational perspectives

Unlike the circular referencing seen in current standards, TLCTC establishes its foundation through a logical thought experiment and clear axioms. This approach breaks the cycle of undefined terms and creates a common baseline for understanding and discussing cyber threats.

By adopting such a framework, the cybersecurity community could move from talking about cyber threats in abstract, undefined terms to having structured, meaningful discussions based on shared understanding. This would significantly improve both strategic planning and operational execution in cybersecurity.

General Analysis of ETSI Documentation vs TLCTC Framework

Based on my analysis of the ETSI documentation and comparing it with the Top Level Cyber Threat Clusters (TLCTC) framework, there are several significant weaknesses in ETSI's approach to cyber threat definition and categorization:

1. Confusion Between Threats and Outcomes:

2. Inconsistent Categorization Logic:

3. Weak Threat Definition:

4. Mixed Risk Elements:

5. Lack of Attack Path Understanding:

6. Overemphasis on Industry-Specific Categories:

7. Missing Clear Vulnerability Mapping:

These weaknesses make ETSI's approach less effective for practical cyber risk management and threat intelligence. A more structured approach, like the TLCTC framework, which clearly separates threats from outcomes and focuses on generic vulnerabilities, would provide a more robust foundation for cybersecurity efforts.

ETSI struggles with Cyber Threat Categorization - Linking STRIDE does not help

A historical analysis of ETSI's approach to cyber threat categorization, spanning from ETR 332 (1996) through TR 103 743 (2021), reveals persistent challenges in developing a comprehensive and logically consistent framework for categorizing cyber threats. Despite attempts to incorporate established frameworks like STRIDE, fundamental issues remain unresolved.

Historical Evolution and Persistent Issues

ETSI's early work on threat categorization, as documented in ETR 332 (1996), established patterns that continue to influence their approach today. The document introduced "general threat categories" that mixed threats with outcomes (like "loss of availability" and "loss of integrity"), setting a precedent for conceptual confusion that persists in later documents.

Fast forward to 2021, and ETSI TR 103 743's attempt to align with STRIDE demonstrates that these fundamental issues remain unresolved. While STRIDE provides a widely recognized framework, its adoption does not address the core problems in ETSI's approach to threat categorization.

Key Problems in ETSI's Current Approach

Confusion Between Threats and Outcomes

Lack of Logical Derivation

Missing Connection to Generic Vulnerabilities

Impact on Cybersecurity Practice

The consequences of these shortcomings are significant:

Risk Management Challenges

Implementation Difficulties

The Path Forward

To address these issues, ETSI would benefit from adopting an approach similar to the Top Level Cyber Threat Clusters (TLCTC) framework, which:

Conclusion

While ETSI's attempt to incorporate STRIDE represents a step toward standardization, it does not resolve the fundamental issues in their approach to threat categorization. A more rigorous, logically-derived framework based on generic vulnerabilities would better serve the cybersecurity community's needs for comprehensive threat identification and risk management.

This historical analysis demonstrates that ETSI's challenges with threat categorization are deeply rooted and require a fundamental rethinking of their approach, rather than simple alignment with existing frameworks like STRIDE. The cybersecurity community would benefit from a more systematic and logically complete approach to threat categorization.

PROJECT REFERENCE: Cyber Threat Clusters

EXTERNAL REFERENCE:Cyber Security (CYBER); Structured threat information sharingETSI TR 103 331 V2.1.1 (2022-12)

No additional updates are scheduled at this time.