Skip to main content

Netskope BEAM: Open Source Detector for Supply Chain Compromise

August 7, 2025

Netskope Threat Labs has introduced a new open-source tool named Behavioral Evaluation of Application Metrics (BEAM) to detect supply chain attacks. This tool operates without requiring endpoint agent deployment and utilizes existing network traffic data to identify applications communicating with potentially malicious hosts.

Supply Chain Attacks

The SolarWinds incident in December 2020 illustrated a significant cybersecurity threat by exploiting supply chain vulnerabilities. It compromised thousands of organizations by embedding malicious code in software updates from a trusted vendor. This incident raised awareness regarding software supply chain attacks, which target the intricate network of vendors and suppliers in software development.

Effectiveness of Supply Chain Attacks

Supply chain attacks leverage built-in trust and complexity in vendor relationships. Factors contributing to their effectiveness include:

  • Complexity: Modern software development involves numerous third-party vendors, creating multiple entry points for attackers.
  • Lack of Visibility: Monitoring the entire supply chain is challenging, hindering the detection of suspicious activities.
  • Assumed Trust: Organizations may mistakenly trust vendor security, leading to vulnerabilities.

BEAM’s Development Background

The discussion following the SolarWinds attack prompted the creation of BEAM. CISA advised organizations to analyze stored network traffic for possible attack indicators. This insight raised several questions about identifying unusual application behavior in network traffic, leading to the development of BEAM.

Proof of Concept Overview

A proof of concept was developed that validated BEAM’s capabilities through red team testing. The initial tests involved monitoring and decrypting traffic to evaluate application behavior against expected patterns. In one such test, the analysis of traffic revealed a 94% probability of compromise, demonstrating the tool's effectiveness in identifying suspicious activities.

Operational Mechanism

BEAM processes files containing decrypted Hypertext Transfer Protocol (HTTP) or HTTPS traffic, extracting user agent strings to classify applications. If the strings are new, BEAM utilizes large language models and parsers to identify the corresponding applications. This information is stored in a database for future comparisons, which assesses application behavior against pre-trained models to ascertain suspicious activity likelihood. Current models include popular applications such as Slack, Spotify, and Asana, based on distinct traffic patterns.

Implementation Guidance

BEAM is available for use on GitHub, including a sample HAR file to facilitate immediate testing. Users can also create custom models for proprietary applications using captured traffic data.

Conclusion

For organizations interested in employing this tool, the open-source repository is available on GitHub. Collaboration with the open-source community is encouraged for further enhancement and issue identification.

Related Perspectives