An attack that compromises an organization indirectly by targeting a trusted supplier, vendor, or software component it relies on.
In a supply chain attack, the adversary breaches a less protected third party, such as a software vendor or managed service provider, and uses that trusted relationship to reach the real target. Compromised software updates are a notorious example.
Because organizations inherit the risk of everyone in their supply chain, controls such as supplier due diligence, software bills of materials, and NIS2 obligations on supply chain security have become central.
KaitoSec