Supply Chain Threat Types
Supply chain attacks take many forms. Some target software vendors and distribute malicious updates to customers. Others target managed service providers, cloud platforms, contractors, consultants, or suppliers with privileged access to systems and information. Attackers often target third parties because they are easier to compromise than the organisations they ultimately wish to attack. In other cases, attackers target suppliers precisely because they provide access to many downstream organisations at once. Compromised suppliers may even become commodities in criminal markets, with access sold to other attackers who then target their customers.
Regardless of the target or motivation, the requirements are similar for downstream organisations seeking security from possible vendor breaches. Effective remediation requires a supply chain audit and targeted hardening strategy. Our approach to supply chain security focuses on understanding both the dependencies your organisation has and the pathways through which those dependencies could be abused by an attacker. We draw on our knowledge of real-world supply chain attacks to identify and target the highest-risk supply chain attack pathways.