Supply Chain and Insider Threat Scenarios
Key Takeaways
- Supply chain attacks compromise trust relationships such as vendors, software updates, dependencies, managed services, or hardware sources.
- Vendor risk controls include due diligence, contracts, security requirements, access limits, monitoring, and offboarding.
- Insider threats may be malicious, negligent, or compromised; the common element is trusted access.
- Software supply chain defense includes signed code, dependency review, SBOM use, secure build pipelines, and least privilege for CI/CD.
- Scenario questions often ask for the best preventive process control, not just a technical detection tool.
Supply Chain and Insider Threat Scenarios
Supply chain risk comes from trusted relationships. The attacker may target a vendor, dependency, build system, update channel, managed service provider, contractor, or hardware source because that path is easier than attacking the final organization directly.
| Supply chain path | Scenario clue | Useful control |
|---|---|---|
| Software dependency | New library version behaves unexpectedly | Dependency review, lock files, vulnerability scanning |
| CI/CD pipeline | Build job injects code or leaks secrets | Least privilege, secret vaulting, signed builds |
| Vendor remote access | Support account connects at unusual time | MFA, PAM, time-bound access, monitoring |
| Managed service provider | One provider account reaches many customers | Segmentation, tenant isolation, contractual controls |
| Hardware or firmware | Device arrives with altered firmware | Trusted sourcing, validation, secure boot |
| Update mechanism | Trusted updater delivers malicious package | Code signing, update integrity checks |
Insider Threat Types
| Type | Behavior | Example |
|---|---|---|
| Malicious insider | Intentionally misuses access | Copies source code before resignation |
| Negligent insider | Causes risk through carelessness | Uploads restricted data to personal cloud storage |
| Compromised insider | Account is controlled by attacker | Valid VPN login from impossible travel location |
| Privileged insider | Has elevated access that can cause broad impact | Admin disables logs before data export |
Scenario Walkthrough 1: Vendor Access
A facilities vendor needs temporary access to building management systems for a repair. The weak approach is a shared always-on VPN account. A better approach is named vendor accounts, MFA, least privilege, access only during the repair window, network segmentation, logging, and removal after completion. If the vendor needs repeated access, review it periodically and include security obligations in the contract.
Scenario Walkthrough 2: Build Pipeline
A developer notices that a release artifact differs from the reviewed source code. The concern is software supply chain integrity. Useful controls include signed commits, protected branches, peer review, build provenance, artifact signing, secret management, restricted CI/CD permissions, and separation between build and deployment approval.
Trap Callout: Trusted Does Not Mean Unlimited
Vendors, administrators, contractors, and service accounts are trusted for a purpose. That does not mean they should have permanent broad access. Apply least privilege, monitoring, segmentation, and offboarding to trusted relationships.
Quick Drill
| Clue | Most likely issue |
|---|---|
| Contractor account still active after project ends | Vendor offboarding failure |
| Personal cloud drive used for restricted files | Negligent insider or shadow IT |
| Admin downloads unusual volume before resigning | Malicious insider |
| New package dependency starts beaconing | Software supply chain compromise |
| Vendor support account logs in from unusual country | Compromised vendor credential |
| Build system has plaintext deployment keys | CI/CD secret management weakness |
A vendor support account is shared by several technicians and remains active between maintenance windows. Which control best reduces the risk?
A reviewed application source tree is clean, but the released package contains an extra credential-stealing script added during the build process. What type of issue is this?
Which controls help reduce insider and supply chain risk? Choose three.
Select all that apply