Model-based threat analysis is a threat modelling approach that utilizes STRIDE as a basis. It serves as means to analyse systems for threats as well as failures, and consists of three major components:
A system model represents the system under consideration in its current status. This means that the approach can be applied during the design phase where assumptions about the future system are driving development, as well as during the implementation phase which reveals shortcomings of the planned system and therefore results in an adaption of the system. Moreover, model-based threat analysis can also be applied during the operational phase when the system is already running. A component may fail and, therefore, requires replacement. The system model is based on a data flow diagram. It holds all known security attributes of system components as well as the connections between them.
A threat model represents a digital twin of known threats. It is constituted of rules that allow for a later analysis of the system model. These rules are anti-patterns, which are basically system configurations that are considered insecure and should therefore not be contained within the system under consideration.
A threat analysis engine enables an automated analysis of the system. It compares each rule with the system model to detect potentially insecure configurations and consequently threats the system under consideration may be affected by.
The whole threat modelling process results in a catalogue depicting threats that the system suffers from and, consequently, require treatment. The current rule sets were derived from UNECE WP29, ETSI and the ITU. The tool used is ThreatGet.
The described approach is an iterative process which allows for consecutive analysis of the system with applied security measures that serve as threat mitigations.