A cyber risk assessment on an ICT infrastructure can use a digital twin of the infrastructure and those of the threat actors. The digital twin is a virtual replica of the infrastructure with information on vulnerabilities instead the twins of the threat actors describe the attacks they can implement and their goals. We use these twins to run multiple emulations of the threat actor behaviors against the infrastructure. This supports the discovery of all the attack paths of an actor by covering stochastic factors such as the success or failure of each attack. The knowledge of the attack paths of an actor is fundamental to selecting the countermeasures to deploy to interrupt these paths and minimize cyber risk. A twin-based solution can run the emulations even before building the infrastructure and support a what-if analysis that changes some properties of the infrastructure or threat actors to evaluate how this affects the overall risk. A supply chain attack is an attack against the supplier that inserts a vulnerability or a backdoor into a module that the threat actor uses when the final user deploys the module it has received. We propose to defend from this attack by exploiting a what-if analysis that assumes that a vulnerability or a backdoor has been introduced in outsourced modules as a result of a supply chain attack against the supplier. The proposed solution requires that the infrastructure twin is extended with information on the modules used to build each infrastructure software module. We also discuss a solution that deploys of a larger number of countermeasures for each attack path.