← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.2

Supply chain attack vector — SY0-701

Understand the supply chain attack vector for Security+ SY0-701: NIST definition, MITRE ATT&CK sub-techniques, exam traps, and signal phrases.

WHAT IT IS

A supply chain attack is an attack in which an adversary uses implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals, or services at any point during the life cycle. (Source: NIST Glossary, CNSSI 4009-2015)

The defining characteristic is when the compromise happens: before the product or component reaches the final consumer, not after.

Mental model

Think of a supply chain attack as poisoning a well upstream. Everyone who draws water downstream is affected — even if their own security controls are flawless. The target organization does nothing wrong operationally; the compromise is baked in before the product arrives.

This upstream-first logic is what separates supply chain attacks from conventional threat vectors. The adversary does not need to break through the target's perimeter; they compromise a trusted third party — a hardware manufacturer, a software vendor, a build pipeline, a package repository — and then ride that trust relationship into the target environment.

When to use it

Use the "supply chain" label when the compromise occurs at a point in the production or distribution chain before the final consumer takes possession. Use a different label when the adversary directly targets the consumer's environment after delivery.

ScenarioLabel
Malicious code injected into a vendor's software update before it shipsSupply chain attack
Attacker exploits a vulnerability in the consumer's own running softwareNetwork / software vulnerability
Backdoor inserted into a network device during manufacturingSupply chain attack (hardware)
Phishing email tricks an employee into installing malwareMessage-based vector
Attacker re-registers an abandoned open-source package and injects malicious codeSupply chain attack (dependency)
Attacker compromises a managed service provider to reach the MSP's clientsSupply chain attack

COMMON MISCONCEPTION

The trap: Candidates often assume that a supply chain attack requires the attacker to breach the final victim's network directly. They see "the company's software was compromised" and reach for "network attack" or "software vulnerability."

The reality: In a supply chain attack, the adversary's foothold is inside a legitimate, trusted artifact — a signed installer, an update package, a hardware component, a CI/CD pipeline output — before it ever touches the target. MITRE ATT&CK describes this as adversaries manipulating "products or product delivery mechanisms prior to receipt by a final consumer." (T1195)

This matters on the exam because the attack succeeds because the product looks legitimate and passes normal trust checks. The trust relationship is the attack surface, not a firewall rule or an unpatched vulnerability in the victim's environment.

A second misconception is that supply chain attacks are only about software. MITRE ATT&CK explicitly distinguishes hardware supply chain compromise (T1195.003), in which adversaries manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. Hardware, firmware, and peripheral devices are all in scope.

How it shows up on the exam

Cognitive target: The exam probes whether candidates can identify the point of compromise in a scenario rather than just its effect.

Signal phrases to recognize:

  • "A vendor's update package was found to contain malicious code" — the compromise happened at the vendor before delivery.
  • "Developers unknowingly installed a backdoored version of a popular library from a public repository" — dependency or software supply chain. MITRE T1195.001 describes adversaries targeting popular open-source packages used as dependencies.
  • "Hardware arrived from the manufacturer with an unexpected firmware modification" — hardware supply chain (T1195.003).
  • "An MSP's management tools were used to push malware to all of its clients" — the MSP is the compromised upstream link.

The cognitive challenge: Candidates who focus on what was compromised (software, hardware) rather than when and where (before delivery, by a third party in the chain) will misclassify the scenario. Ask: "Was the malicious element present before the target received the product?" If yes, the answer points toward supply chain.

CAPEC characterizes supply chain attacks as disruptions across the supply chain lifecycle, noting that the distributed, multi-national nature of modern supply chains creates multiple points for disruption. (CAPEC-437) This means a question stem may describe a geographically distant manufacturing or distribution step — that geographic distance is a feature of the attack surface, not a reason to rule it out.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.