Skip to main content

Netskope Threat Labs introduces BEAM for detecting supply chain attacks

August 20, 2025

Netskope Threat Labs has introduced BEAM, an open-source tool designed for detecting supply chain attacks. The tool operates without requiring endpoint agents and utilizes existing network traffic data to monitor applications communicating with potentially malicious hosts.

Supply Chain Threats

The SolarWinds incident in December 2020 highlighted vulnerabilities in cybersecurity, impacting numerous organizations through embedded malicious code in software updates from trusted vendors. This event raised awareness about the risks associated with software supply chain attacks.

Software supply chain attacks capitalize on the intricate networks of vendors and suppliers involved in software development.

Attack Effectiveness Factors

Supply chain attacks benefit from trust and complexity in vendor relationships. Key factors that enhance their effectiveness include:

  • Complexity: Modern development ecosystems use various third-party vendors, creating multiple entry points for attackers.
  • Lack of Visibility: Effective monitoring of the entire supply chain is challenging, making the detection of suspicious activities difficult.
  • Assumed Trust: Organizations might incorrectly assume vendors' security measures are sufficient, leaving them vulnerable.

Development of BEAM

BEAM emerged from discussions following the SolarWinds incident. The Cybersecurity and Infrastructure Security Agency (CISA) recommended that organizations analyze stored network traffic to spot potential attack indicators.

This guidance prompted inquiries about how to identify unusual application behavior, leading to the creation of BEAM.

Proof of Concept

Validation of BEAM's capabilities occurred through red team testing, where traffic monitoring and decryption were used to compare application behavior to expected patterns. One test indicated a 94% probability of compromise, showcasing the tool's ability to identify suspicious activity.

Operational Mechanism

BEAM analyzes files containing decrypted Hypertext Transfer Protocol (HTTP) or HTTPS traffic and extracts user agent strings to classify applications. If the strings are unidentified, BEAM applies large language models and parsers to recognize the applications.

This data is archived for future comparisons, assessing application behavior against trained models to evaluate suspicious activity likelihood. Current models include applications such as Slack, Spotify, and Asana, based on unique traffic patterns.

Usage Guidance

BEAM is accessible on GitHub, along with a sample HAR file to assist with initial testing. Users have the option to develop custom models for proprietary applications utilizing captured traffic data.

Conclusion

The open-source repository is available on GitHub for organizations interested in utilizing BEAM. Collaboration with the community is encouraged to enhance the tool and address potential issues.

Related Perspectives