3.2.3. Supply Chain Vectors

💡 First Principle: Supply chain attacks compromise a trusted vendor, supplier, or service provider to reach downstream targets. They're devastating because they exploit the trust relationships organizations depend on — you vet your own software, but do you vet the libraries inside your vendor's software? Supply chain attacks turn your defenses inside out by making the threat arrive through a trusted channel.

Managed service providers (MSPs) have privileged access to client networks for remote monitoring, patching, and support. Compromising one MSP can give an attacker access to hundreds of client environments simultaneously. The Kaseya attack in 2021 demonstrated this at scale — a single vulnerability in Kaseya's management software was exploited to deploy ransomware to over 1,500 businesses through their MSPs.

Vendors — compromised vendor software updates deliver malware to every customer who installs the update. The SolarWinds attack (2020) embedded malicious code in a legitimate Orion software update that was distributed to approximately 18,000 organizations, including US government agencies. Because the malware arrived through the normal update channel, security tools that trusted SolarWinds software never flagged it.

Suppliers — hardware supply chain attacks can implant malicious chips, firmware, or software during manufacturing. These are extremely difficult to detect because the compromised product arrives through a trusted procurement channel, passes physical inspection, and functions normally while silently exfiltrating data or providing backdoor access.

Open-source dependencies — modern software relies on hundreds of third-party libraries. A compromised or abandoned open-source package (like the event-stream incident in 2018) can inject malicious code into every application that depends on it. Software composition analysis (SCA) tools help track dependencies and known vulnerabilities.

⚠️ Exam Trap: Supply chain attacks bypass your security controls entirely because the malicious payload arrives through a trusted channel. The exam may describe a scenario where a legitimate software update installs malware — that's a supply chain attack, not a software vulnerability in your own systems.