Defending against autonomous, AI agent exploits

The Sysdig research team highlighted an autonomous, AI-orchestrated exploit where the threat actor went from initial access to administrative privileges in less than 10 minutes. This exploit is indicative of a marked departure from human operated exploits, with unprecedented automation and speed.

The writeup below is aimed to prepare defenders to formulate their defensive strategy against these exploits.

This is an exploit targeting an organization that runs AI/LLM workloads in the cloud (AWS). AWS BedRock, a popular service providing foundation models, was the target of the exploit.

The goal of the attacker was to gain unauthorized access to AWS BedRock and launch GPU instances to train models. This exploit is known as LLMjacking, where attackers hijack AI infrastructure to gain access to the foundation models.

This is a multi-stage exploit, with the threat actor gaining initial access to the AWS environment by gaining access to validate credentials through a public S3 bucket. The attacker performed reconnaissance to find IAM roles with administrative permissions, gained access to these roles, performed code injection in AWS Lambda to gain administrative user permissions, established persistence, and launched LLM models in AWS BedRock.

LLM assisted multi-stage exploit

The exploit sequence is mapped to the MITRE ATT&CK framework tactics. The exploit sequence is organized along these tactics.

Cloud exploits, including stealthy exploits known as Living off the Cloud attacks, have risen in frequency. In previous iterations of these attacks, each step was typically performed by a human adversary. The stealthy nature of the multi-stage exploit resulted in elapsed time for the completion of the exploit, with the overall elapsed time often ranging from hours to days and sometimes even weeks.

This exploit, automated using AI, completed the multi-stage exploit sequence in less than 10 minutes. This speed is an order of magnitude faster than human exploits, even when performed by highly skilled human adversaries.

The level of automation and speed in AI-orchestrated attacks represents a marked departure from typical exploits.

From a defender’s viewpoint, it is important to strengthen prevention controls as applicable and feasible. However, as this exploit indicates, the threat actor gained initial access through AWS credentials found in a public S3 bucket. An organization with a significant cloud estate would have a large number of pathways for a threat actor to gain initial access, such as the leaked credentials in this case. It is imperative for defenders to adopt an assume compromise security posture, one that operates under the principle that the adversary will gain access to the environment.

Threat detection has traditionally focused around establishing a baseline of “normal” usage patterns and flagging deviations from the baseline as suspect, this is an anomaly-based detection approach. This approach is essentially reactive in nature, one that is based on the principle of observing a series of events and reacting to them to identify suspicious activity.

Cloud workloads tend to be dynamic and ephemeral, making the identification of a baseline difficult. As this AI-orchestrated exploit indicates, with the threat actor completing their mission in under 10 minutes, an attempt to establish a baseline and identify deviations within this rapidly shortened time window is highly challenging.

Defending against these rapidly executing threats needs an approach that is based on a proactive and preemptive security posture.

Preemptive defense is a proactive approach to cyber defense, one that is based on the principle of anticipating threats and setting a defensive strategy before the threat occurs.

A foundational element of a preemptive defense strategy is based on cyber deception. Deception is based on the principle of anticipating a threat and setting traps at strategic locations of interest to the attacker. Any interaction with the traps is an immediate indicator of malicious activity, providing instant detection without requiring the identification of a baseline.

An effective deception strategy is anchored on placing traps that are tailored to detect threats at early stages of the attack lifecycle. For the AI-orchestrated LLMjacking exploit, deception-based traps are set for MITRE tactics of Discovery, Credential Access, Privilege Escalation, and Persistence. The objective is to find and stop the attack before the exploit gets to the Execution or Impact stage, where the actual damage/breach occurs.

For an AWS environment, deceptions are deployed to represent entities of value to a threat actor or an AI agent. These include: account honeytokens that represent deceptive identities (IAM Roles and IAM Users), workload honeytokens that represent deceptive credential profiles (access keys and secrets in AWS Secrets Manager), and decoys that represent cloud resources (ec2 instances, S3 buckets, Lambda functions).

By deploying a tailored deception strategy for an AWS environment, the defender can find and stop the exploit at step 2 itself, at the stage of the AI agent attempting to assume a role that represents an administrative role.

Deception-based preemptive defense stops this exploit at step 2

The multi-stage exploit, orchestrated by AI, has dramatically reduced the exploit window to less than 10 minutes from initial access to administrative privileges. Preemptive defense is based on anticipating threats and setting traps to find the exploit at the early stages of the exploit sequence. Honeytokens representing deceptive IAM roles detect this AI agent exploit at step 2, during the IAM role enumeration and exploit phase.