Skip to content


Patch Poisoning

Software Supply Chain Attack Detection and Prevention

As the prevalence of software supply chain attacks has escalated, recently highlighted by the SolarWinds Orion and Kaseya attacks, fears of future incidents have gripped the industry. The purpose of this paper is to examine a larger sample of software supply chain attacks, in an attempt to gauge how they occur and can be detected using technical measures.

In order to focus on the larger issue of technical deterrence, and to avoid disagreements on which threat actors are responsible, this paper is not focused on the topic of attribution. The techniques used to defend against these attacks are irrelevant to their source, beyond the use of geo-IP based active blocking, like that commonly employed by commercial firewalls and similar protection methods. Attribution is a valuable data point for defenders but is beyond the scope of this analysis. Furthermore, the behavior of the malware once it exploits the target is largely unimportant to this analysis, as the goal is to review likely indicators prior to installation into victim environments.

A patch poisoning attack is a type of supply chain attack compromising a software product by introducing malicious code into a patch for that product. Many organizations are vulnerable to this type of attack as most software used today is complex, including third-party software components that may be largely unknown to the software publisher. All software, including third-party software, requires frequent communication with the software supplier to provide updates and fix known vulnerabilities. This method of attack exploits the inherent trust between software suppliers and any consumers of that software, including end-users, internal development, and other software vendors.

Download the whitepaper to read our team's study of software supply chain attacks, methods of execution, and programmatic detection.