As most companies have learned, unhappily, in recent years, hackers and other cyber criminals are nothing if not resourceful. Sometimes that resourcefulness manifests itself in the creation of sophisticated malware code, or perhaps in clever social engineering ploys that trick users into taking risky actions.
When the countermeasures of defenders prove effective, however, resourceful attackers readily turn to more promising avenues of exploitation. Increasingly, those avenues involve attacking trusted software that people are already using, as well as leveraging established supply chains such as software tools vendors and cloud service providers.
Attacks that target installed software tools and operating system features are said to be “living off the land”, as they take build on software that is generally available across the computing landscape. Supply chain attacks are a distinct, but related, attack approach, in that they compromise the offerings of existing and trusted suppliers.