AI's dark side - mitigating security risks

As is often the case, malicious actors are forging ahead with innovating AI/ML-based threats, whilst there are currently few solutions to protect businesses. These threats have been recognised by government bodies, but there are currently very few AI regulations enacted to guide businesses. The EU AI Act is one exception, which has started to be enforced across all 27 EU Member States from 1 August 2024. This legislation focuses on ensuring organisations take a risk-based approach to the entire lifecycle of an AI system. Canada has also introduced the Artificial Intelligence and Data Act (AIDA) as part of Bill C-27, the Digital Charter Implementation Act, 2022. This too, focuses on ensuring organisations are taking safe and responsible steps for the development and deployment of AI technologies. Whilst legislation and frameworks are being delivered by countries and trading blocks, a quick internet search displays dozens of news reports which reveal the extent of the problem caused by malicious actors, that legislators are trying to mitigate against. 

• Researchers Uncover 'LLMjacking' Scheme Targeting Cloud-Hosted AI Models source: The Hacker News 

• Prompt hacking is an Achilles' heel for AI source: Fierce Networks 

• How AI can be hacked with prompt injection: NIST report source: SecurityIntelligence 

• How to weaponize LLMs to auto-hijack websites source: The Register 

 
Although the threat is very real, many employers are allowing employees access to AI/ML tools to develop innovative solutions that have the potential to bring significant benefits to their business, but with varying degrees of control, introducing AI adoption risk. For instance, employees could be using models with a corrupted or malicious payload that can results in data exposure, LLM compromise and model generated threats. 

 
The abundance of freely available AI/ML tools is making the use of AI/ML within businesses commonplace. An Oliver Wyman survey found that 55% of employees use public generative AI at least weekly. (Source Oliver Wyman). 

 
The velocity at which the AI models are developing has left developers with a plethora of free resources to integrate into their applications. One of the most popular community-focused platforms is Hugging Face, which has >900k models available, with most of them being free. However, the easy availability of these models can lead to ‘AI sprawl’, potentially resulting in excessive cloud costs, as well as increasing the attack surface if the infrastructure is not managed responsibly. On the downside, recently, Jfrog found >100 malicious AI/ML models were freely available on Hugging Face (Source: The Hacker News). This may seem like a small number in comparison to the vast number of resources available on the platform, but it proves there is an issue, and this will almost certainly become more of an issue in the future. 
 

Although there are still very few AI attack vectors, there are a few that have been identified: 

• LLMJacking uses harvested cloud credentials to gain access to cloud hosted LLMs, allowing malicious actors to use the LLM freely, which can increase costs significantly, and allow harvesting of the training data (Source: gbhackers.om). 

• Training data poisoning introduces corrupted or biased data into the training dataset used to develop an AI model, in order to compromise the accuracy and reliability of that model. If as little as 1% of the data is ‘poisoned’ in can have a significantly adverse effect on the model performance (Source: Cornell University).  

• Prompt injection can lead to models to ignore guardrails and leak sensitive information (Source: Cornell University). 

There are a handful of security companies that have developed and launched an AI-SPM service. Palo Alto Networks is one of them and is a strategic partner for GFT. Palo Alto Networks launched their AI-SPM tool in the summer of 2024, as part of their Prisma Cloud suite of cloud security tools. Businesses serious about cloud security should consider adding Prisma Cloud to their arsenal to defend against their ever-increasing attack surface. The other Prisma Cloud tools are covered very briefly at the end of this article.  
 

Prisma Cloud AI-SPM has been specifically developed to protect AI-powered applications from code to cloud. The goal is to protect AI-powered applications all the way from coding, through the software supply chain, and into runtime, where the AI-powered applications service customers. 
 

Prisma Cloud AI-SPM aims to discover and catalogue all AI/ML assets deployed across different cloud environments within a business to gain end-to-end visibility of entire AI pipelines. With this information, the AI-SPM can show the lineage of all the components used to build the AI-powered applications, which includes all the models used and the associated resources, to show the relationship between these assets and the underlying data used to train models. 
 

Prisma Cloud AI-SPM performs risk analysis on all the catalogued AI/ML assets to assess the security posture of the AI-powered applications across the whole development lifecycle. The assessment will find vulnerabilities such as overly permissive access and misconfigured resources that can lead to LLMJacking, model theft and misuse. 
 

AI models are continuously monitored by Prisma Cloud AI-SPM for unusual or unexpected behaviour patterns to detect abnormalities that could indicate a prompt injection attack, or other misuse. 

Training and reference data is monitored and classified by Data Security Posture Manage (DSPM) and Prisma Cloud AI-SPM to identify sensitive data to help protect against data exposure, training data positioning, privacy and compliance violations, and security breaches. 

 
Once the AI-powered is live, Prisma Cloud AI Runtime Security will protect the AI-powered applications in order to stop attacks in real time.