惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
U
Unit 42
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
腾讯CDC
罗磊的独立博客
博客园 - 聂微东
博客园_首页
雷峰网
雷峰网
云风的 BLOG
云风的 BLOG
Jina AI
Jina AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
D
DataBreaches.Net
The GitHub Blog
The GitHub Blog
人人都是产品经理
人人都是产品经理
Y
Y Combinator Blog
量子位
Microsoft Azure Blog
Microsoft Azure Blog
阮一峰的网络日志
阮一峰的网络日志
小众软件
小众软件
月光博客
月光博客
T
The Exploit Database - CXSecurity.com
Google DeepMind News
Google DeepMind News
H
Help Net Security
O
OpenAI News
Blog — PlanetScale
Blog — PlanetScale
S
Security Affairs
S
Security @ Cisco Blogs
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
AI
AI
MongoDB | Blog
MongoDB | Blog
G
Google Developers Blog
MyScale Blog
MyScale Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
D
Docker
Hugging Face - Blog
Hugging Face - Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Schneier on Security
Cloudbric
Cloudbric
H
Heimdal Security Blog
J
Java Code Geeks
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
宝玉的分享
宝玉的分享
有赞技术团队
有赞技术团队
S
SegmentFault 最新的问题
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
爱范儿
爱范儿
I
Intezer
GbyAI
GbyAI

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI
Zoey Chu · 2026-04-16 · via Vectra AI Blog

As organizations integrate AI across mission-critical systems, the attack surface grows beyond traditional IT and cloud environments. ATLAS fills the gap by documenting AI-specific attack scenarios, real adversary behaviors in the wild and mitigation strategies tailored to AI-enabled environments.

What is the MITRE ATLAS framework?

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a living, publicly accessible knowledge base that catalogs adversary tactics and techniques targeting AI-enabled systems. Modeled after the widely adopted MITRE ATT&CK® framework, ATLAS is tailored to the unique threats, vulnerabilities, and risks posed by artificial intelligence technologies.

ATLAS is a curated resource built on:

  • Real-world attack observations
  • AI red team demonstrations
  • Security research from government, industry, and academia

It captures how adversaries target AI and machine learning systems, including behaviors, techniques, and tools that are either specific to or adapted for AI contexts.

From weaponization to infrastructure abuse: a shift in attacker focus

The overwhelming majority of activity involves threat actors using generative AI to accelerate their campaigns through tasks such as:

  • Writing phishing emails or social engineering scripts
  • Researching vulnerabilities or techniques
  • Troubleshooting malware or tool development
  • Generating content for scams or fake identities But a more concerning pattern is gaining attention: attackers are using evolving tactics where the exploitation of cloud-based LLM resources—such as AWS Bedrock and Azure AI Foundry—has become a growing vector for profit and abuse.

AWS Bedrock

Figure: Amazon Bedrock is a service that helps users build and scale generative AI applications. It's a fully managed service that supports deployment of foundational models from Anthropic, Meta, and more.

Public LLMs can generate text or assist with scripting, but cloud-hosted models are deeply integrated into high-value enterprise workflows. These systems offer adversaries access to compute, sensitive data, and trusted execution environments.

Meme illustrating the fact attackers prefer abusing cloud GenAI rather than using GenAI for generic use

Why attack cloud-hosted AI instead of free, open-source models?

Cloud platforms like AWS Bedrock and Azure AI Foundry are attractive targets because they:

  • Expose multi-tenant infrastructure: A vulnerability in shared components can impact multiple customers.
  • Provide access to confidential enterprise data: Especially when tied to RAG (retrieval-augmented generation) workflows, which enhance LLM responses by retrieving and injecting enterprise data from connected knowledge sources.
  • Enable abuse of trust and identity integrations: Cloud identities and IAM roles can be leveraged for privilege escalation or lateral movement.
  • Cost money to operate: Attackers can exploit this by hijacking compute resources (LLMjacking).

Abusing these platforms allows adversaries to operate with higher stealth and return on investment compared to using open-source or public APIs.

Why adversaries target Generative AI infrastructure

Attackers targeting cloud-based GenAI services are motivated by three primary objectives: financial gain, data exfiltration, and destructive intent. Their success depends heavily on how they gain initial access to enterprise infrastructure.

1. Financial Gain

Attackers may seek to hijack enterprise accounts or exploit misconfigured infrastructure to run unauthorized inference jobs—a tactic known as LLMjacking. They can also abuse cloud AI services for free computation or monetized model access.

2. Exfiltration

Sophisticated adversaries aim to extract proprietary models, training data, or sensitive enterprise documents accessed via RAG (retrieval-augmented generation) systems. Inference APIs can also be abused to leak data over time.

3. Destruction

Some actors seek to degrade system performance or availability by launching denial-of-service attacks, poisoning training pipelines, or corrupting model outputs.

While misuse of public LLMs enables some attacker activity, the strategic advantages of targeting enterprise GenAI infrastructure (data access, scalability, and trust exploitation) make it a more attractive and impactful vector.

How MITRE ATLAS helps you understand and map these threats

MITRE ATLAS provides a structured view of real-world tactics and techniques used against AI systems, which maps directly to risks seen in platforms like AWS Bedrock, Azure AI, and other managed GenAI services.

ATLAS covers a wide range of techniques beyond those related to cloud-hosted AI infrastructure, including AI model reconnaissance, poisoning open-source models or datasets, LLM plugin compromise, and many others.

Here are some examples of specific techniques a threat actor could leverage in the process of attacking cloud-hosted AI infrastructure:

Initial access

  • Valid Accounts (AML.T0012): Adversaries often acquire legitimate credentials via phishing campaigns, credential stuffing, or supply chain breaches.
  • Exploit Public-Facing Applications (AML.T0049): Poorly secured or exposed endpoints (e.g., RAG assistants or APIs) can be used to gain initial footholds into GenAI systems.

Dark Web Ecosystem for LLMjacking — Compromised accounts and AWS IAM keys are sold through underground services, allowing consumers to run unpaid inference workloads on cloud-hosted LLMs.

Figure: Dark Web Ecosystem for LLMjacking — Compromised accounts and AWS IAM keys are sold through underground services, allowing consumers to run unpaid inference workloads on cloud-hosted LLMs.

AI Model Access

  • AI Model Inference API Access (AML.T0040): Gaining direct access to inference APIs to run unauthorized queries or workloads.
  • AI-Enabled Product or Service (AML.T0047): Targeting enterprise software integrated with GenAI to manipulate output or extract internal data.

Execution

  • LLM Prompt Injection (AML.T0051): Injecting malicious inputs that subvert guardrails or logic, especially in RAG or workflow-integrated systems.

Privilege Escalation/Defense Evasion

  • LLM Jailbreak (AML.T0054): Bypassing model controls to unlock restricted functions or generate harmful content.

After recon confirms enabled LLM models, they disable prompt logging to hide their tracks. By turning off logging, they stop the system from recording their illicit prompts—making it tough to spot what they’re doing with the hijacked models

Figure: After recon confirms enabled LLM models, they disable prompt logging to hide their tracks. By turning off logging, they stop the system from recording their illicit prompts—making it tough to spot what they’re doing with the hijacked models

Discovery

  • Discover AI Model Family (AML.T0014): Identifying model architecture or vendor characteristics to tailor attacks.
  • Discover AI Artifacts (AML.T0007): Locating logs, prompt histories, or datasets that reveal system internals.

Attack Flow for Unauthorized Model Activation — Once inside a cloud environment using compromised IAM keys, adversaries perform reconnaissance to discover foundational models, enable them, and initiate inference—incurring cost and risk for the victim.

Figure: Attack Flow for Unauthorized Model Activation — Once inside a cloud environment using compromised IAM keys, adversaries perform reconnaissance to discover foundational models, enable them, and initiate inference—incurring cost and risk for the victim.

Collection & Exfiltration

  • Data from Information Repositories (AML.T0036): Harvest structured/unstructured data retrieved through RAG or embedded in AI services.
  • Exfiltration via AI Inference API (AML.T0024): Slowly extract data by abusing the inference layer.
  • LLM Data Leakage (AML.T0057): Trigger unintentional data leakage through carefully crafted queries.

Impact

  • Denial of AI Service (AML.T0029): Overload or disrupt AI endpoints to degrade availability.
  • External Harms (AML.T0048): Cause financial, reputational, legal, or physical harm by abusing AI systems or manipulating AI output in critical applications.

attacker exploiting stolen IAM credential

Figure: Here an attacker again starts by exploiting stolen IAM credential, followed by recon. Next the attacker can test out if guardrails are in place for the enabled models. If attacker has enough permissions, they can even tamper with guardrails, and make the model more exploitable, especially custom ones.

These techniques illustrate how attackers exploit every layer of AI infrastructure: access, execution, data, and impact. MITRE ATLAS provides the mapping needed for SOC teams to prioritize detections, validate defenses, and red team effectively across enterprise AI environments.

How Vectra AI maps to MITRE ATLAS

Vectra AI maps its detection logic to MITRE ATLAS to help SOC teams identify:

  • Identities suspiciously accessing GenAI platforms such as AWS Bedrock and Azure AI Foundry
  • Attempts to evade defenses and impede investigations of GenAI abuse
  • Anomalous usage of GenAI models consistent with cloud account compromise

In addition to surfacing these behaviors, Vectra’s AI prioritization agent amplifies analyst focus by raising the risk profiles of identities associated with suspicious access and enablement of GenAI models. Because Vectra AI delivers agentless, identity-driven detection across hybrid cloud and SaaS environments, it is uniquely positioned to detect threats that traditional tools might miss-especially in AI-integrated workflows.

AML.TA0004
Initial Access
AML.TA0000
AI Model Access
AML.TA0005
Execution
AML.TA0012
Privilege Escalation
AML.TA0007
Defense Evasion
AML.TA0008
Discovery
AML.TA0009
Collection
AML.TA0010
Exfiltration
AML.TA0011
Impact
Valid Accounts AI Model Interference API Access LLM Prompt Injection LLM Jailbreak LLM Jailbreak Discover AI Model Family Data from Information Repositories Exfiltration via AI Inference API Denial of AI Service
Exploit Public-Facing Application AI-Enabled Product or Service Discover AI Artifacts LLM Data Leakage External Harms
Phishing

Overview of our current visibility into the techniques and sub techniques defined in MITRE's ATLAS framework (as published on 17 Mar 2025).

The narrative is changing. Generative AI is no longer just a tool in the hands of attackers; it is now a target. And as enterprise adoption grows, so too will the sophistication of these attacks. By using frameworks like MITRE ATLAS and deploying solutions like the Vectra AI Platform, security teams can stay ahead of evolving threats and ensure AI delivers value without compromising integrity.