Your Traffic Doesn’t Lie: Unmasking Supply Chain Attacks via Application Behaviour

Your Traffic Doesn’t Lie: Unmasking Supply Chain Attacks via Application Behaviour

MediaVideo
Yanac

Supply chain compromises like the 2020 SolarWinds breach have shown how devastating and stealthy these attacks can be. Despite advances in provenance checks (i.e., SLSA), SBOMs, and vendor vetting, organizations still struggle to detect compromises that come in via trusted apps. In this talk, we unveil BEAM (Behavioral Evaluation of Application Metrics), an open source tool that contains a novel technique for detecting supply chain attacks purely from web traffic—no endpoint agents, no code instrumentation, just insights from the network data you’re probably already collecting.

We trained BEAM using over 40 billion HTTP/HTTPS transactions across thousands of global organizations. By applying LLMs to map user agents to specific apps, extracting 65 behavioral signals, and building application-specific baselines, BEAM detects deviations with over 95% accuracy—and up to 99% for highly predictable applications. It’s fast, automated, and doesn’t rely on vendor cooperation or manual tuning.
We’ll walk through how BEAM works under the hood: from enriching noisy traffic data to behavioral modeling and surfacing anomalies that reveal active compromises. Alongside prebuilt models for eight popular applications, we’ll also show how organizations can build custom models for internal apps, enabling scalable monitoring for both off-the-shelf and bespoke software.

This approach is new, highly effective, and purpose-built for threats that continue to bypass traditional defenses. By focusing on how applications behave—not just who built them or where they came from—BEAM gives defenders a powerful new signal against a threat that’s been challenging to defend against.

This session includes a live demo and practical takeaways for defenders, researchers, and security engineers alike.

By:
Colin Estep | Principal Engineer, Netskope
Dagmawi Mulugeta | Staff Threat Research Engineer, Netskope

Presentations Materials Available at: https://blackhat.com/us-25/briefings/schedule/index.html#your-traffic-doesnt-lie-unmasking-supply-chain-attacks-via-application-behaviour-45183Black HatRead More