Software Supply Chain Security: Can We Beat the Kill-Chain? A Case Study on the XZ Backdoor
摘要
A successful supply chain attack can have a severe impact on multiple organizations, states, or individuals by exploiting the weakest element in the chain. An essential strategy to proactively prevent supply chain attacks is risk management to identify, assess, and manage vulnerabilities. One crucial, but often complex part of standard risk management procedures is decision-making as it typically involves various criteria, such as time constraints, resource allocation, or balancing risks vs. business capabilities. Therefore, our main objective is to support decision makers in the risk management process by providing additional metrics to them. In this paper, we demonstrate how elements of the standard risk model can be combined with game theory techniques to support decision makers to identify proper mitigation strategies. We analyze the attacker and defender capabilities of the recent XZ backdoor to demonstrate the practicability and feasibility of our proposed concept.