A successful supply chain attack can have a severe impact on multiple organizations, states, or individuals by exploiting the weakest element in the chain. An essential strategy to proactively prevent supply chain attacks is risk management to identify, assess, and manage vulnerabilities. One crucial, but often complex part of standard risk management procedures is decision-making as it typically involves various criteria, such as time constraints, resource allocation, or balancing risks vs. business capabilities. Therefore, our main objective is to support decision makers in the risk management process by providing additional metrics to them. In this paper, we demonstrate how elements of the standard risk model can be combined with game theory techniques to support decision makers to identify proper mitigation strategies. We analyze the attacker and defender capabilities of the recent XZ backdoor to demonstrate the practicability and feasibility of our proposed concept.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Software Supply Chain Security: Can We Beat the Kill-Chain? A Case Study on the XZ Backdoor

  • Mario Lins,
  • Stefan Rass,
  • René Mayrhofer

摘要

A successful supply chain attack can have a severe impact on multiple organizations, states, or individuals by exploiting the weakest element in the chain. An essential strategy to proactively prevent supply chain attacks is risk management to identify, assess, and manage vulnerabilities. One crucial, but often complex part of standard risk management procedures is decision-making as it typically involves various criteria, such as time constraints, resource allocation, or balancing risks vs. business capabilities. Therefore, our main objective is to support decision makers in the risk management process by providing additional metrics to them. In this paper, we demonstrate how elements of the standard risk model can be combined with game theory techniques to support decision makers to identify proper mitigation strategies. We analyze the attacker and defender capabilities of the recent XZ backdoor to demonstrate the practicability and feasibility of our proposed concept.