MITRE ATLAS
MITRE ATLAS (Adversarial Threat Landscape for AI Systems) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of attacks on machine learning systems. VirtueRed comprehensively tests AI systems against 14 tactical categories that represent the complete adversarial attack chain targeting ML/AI infrastructure.
Overview
ATLAS provides a comprehensive model for understanding how adversaries compromise and operate within AI environments, enabling organizations to assess their AI systems' resilience against the full spectrum of ML-specific threats—from initial reconnaissance through data exfiltration and impact. The framework examines how AI systems might be exploited at each stage of an attack, recognizing that AI introduces unique vulnerabilities through model endpoints, training pipelines, data repositories, and integration points.
| Tactical Category | Description |
|---|---|
| Reconnaissance | Gathering information about target ML systems |
| Resource Development | Acquiring resources and developing attack tools |
| Initial Access | Gaining initial foothold in ML systems |
| Execution | Running adversarial code or actions |
| Persistence | Maintaining access across restarts and updates |
| Privilege Escalation | Gaining elevated access or capabilities |
| Defense Evasion | Avoiding detection and bypassing security |
| Credential Access | Obtaining credentials and authentication tokens |
| Discovery | Exploring the AI environment |
| Lateral Movement | Moving through connected systems |
| Collection | Gathering data from target systems |
| Command and Control | Maintaining communication with compromised systems |
| Exfiltration | Extracting data from ML systems |
| Impact | Disrupting, degrading, or destroying ML systems |
Reconnaissance
Adversary efforts to gather information for targeting AI systems and planning attacks.
| Technique | Description |
|---|---|
| Active Scanning | Testing exposure of AI endpoints to network reconnaissance |
| Search Open Technical Databases | Evaluating information leakage in public repositories |
| Phishing for Information | Assessing susceptibility to targeted information gathering |
| Search Open Websites/Domains | Testing exposure of AI documentation and specifications |
| Gather Victim Identity Information | Evaluating protection of AI team member information |
Testing Approach:
- System prompt extraction attempts
- API boundary probing
- Model capability inference testing
- Access control enumeration
Resource Development
Adversary efforts to establish resources for operations against AI systems.
| Technique | Description |
|---|---|
| Develop Capabilities | Testing detection of adversarial ML tool development |
| Obtain Capabilities | Assessing awareness of publicly available AI exploitation tools |
| Acquire Infrastructure | Evaluating detection of attack infrastructure setup |
| Compromise Infrastructure | Testing identification of supply chain targeting |
| Establish Accounts | Assessing detection of fake accounts for AI service access |
Testing Approach:
- Jailbreak technique evaluation
- Adversarial input generation
- Attack vector assessment
Initial Access
Techniques to gain initial foothold in systems hosting AI components.
| Technique | Description |
|---|---|
| Exploit Public-Facing Application | Testing vulnerabilities in AI API endpoints and interfaces |
| Supply Chain Compromise | Assessing risks from compromised ML libraries and frameworks |
| Valid Accounts | Evaluating use of legitimate credentials to access AI services |
| Phishing | Testing targeted attacks against AI teams and administrators |
| Trusted Relationship | Assessing exploitation of third-party integrations and partnerships |
Testing Approach:
- Direct prompt injection testing
- Input sanitization evaluation
- Authentication boundary testing
- Dependency security assessment
Execution
Techniques for running malicious code in AI environments.
| Technique | Description |
|---|---|
| Command and Scripting Interpreter | Testing code injection through AI notebooks and shells |
| User Execution | Assessing social engineering targeting AI developers and operators |
| Container Administration Command | Evaluating exploitation of containerized AI deployments |
| Serverless Execution | Testing abuse of serverless AI functions and lambdas |
| Cloud Administration Command | Assessing execution through cloud management interfaces |
Testing Approach:
- Code execution boundary testing
- Action authorization evaluation
- Plugin security assessment
Persistence
Techniques for maintaining access to AI systems across restarts and updates.
| Technique | Description |
|---|---|
| Account Manipulation | Testing persistence through compromised AI service accounts |
| Create Account | Assessing unauthorized account creation in AI platforms |
| Scheduled Task/Job | Evaluating persistence through training pipeline schedules |
| Server Software Component | Testing backdoors in model serving infrastructure |
| Container Orchestration Job | Assessing persistence in Kubernetes-based AI deployments |
Testing Approach:
- Behavioral consistency testing
- Context carryover evaluation
- Session persistence assessment
- Model backdoor detection
Privilege Escalation
Techniques for gaining higher-level permissions in AI systems.
| Technique | Description |
|---|---|
| Valid Accounts | Testing escalation through compromised administrator accounts |
| Cloud Service Dashboard | Assessing privilege escalation via cloud console access |
| Container API Exploitation | Evaluating escalation in containerized AI environments |
| Access Token Manipulation | Testing privilege elevation through token modification |
| Domain Policy Modification | Assessing manipulation of AI governance and access policies |
Testing Approach:
- Role-based access control testing
- Permission boundary evaluation
- Privilege escalation attempts
Defense Evasion
Techniques to avoid detection and bypass AI security measures.
| Technique | Description |
|---|---|
| Obfuscated Files or Information | Testing evasion through encoded payloads and scripts |
| Indicator Removal | Assessing deletion of attack evidence from AI audit logs |
| Impair Defenses | Evaluating disabling of AI security monitoring and alerts |
| Masquerading | Testing impersonation of legitimate AI processes and services |
| Valid Accounts | Assessing use of compromised legitimate credentials to avoid detection |
Testing Approach:
- Filter bypass evaluation
- Obfuscation technique testing
- Encoding variation assessment
- Incremental attack simulation
Credential Access
Techniques for stealing credentials used for AI system access and authentication.
| Technique | Description |
|---|---|
| Unsecured Credentials | Testing exposure of AI API keys and service tokens |
| Credentials from Password Stores | Assessing theft from credential management systems |
| Steal Application Access Token | Evaluating extraction of OAuth tokens and JWT credentials |
| Steal Web Session Cookie | Testing session hijacking for AI management platforms |
| Brute Force | Assessing password attacks against AI interfaces and services |
Testing Approach:
- Credential leakage testing
- Token exposure evaluation
- Session security assessment
Discovery
Techniques for exploring the AI environment to map systems and identify valuable targets.
| Technique | Description |
|---|---|
| System Information Discovery | Testing enumeration of AI infrastructure and configurations |
| File and Directory Discovery | Assessing discovery of models, datasets, and code repositories |
| Network Service Discovery | Evaluating identification of AI endpoints and APIs |
| Cloud Service Discovery | Testing enumeration of cloud-based AI services |
| Permission Groups Discovery | Assessing mapping of AI platform roles and privileges |
Testing Approach:
- Model fingerprinting attempts
- Capability enumeration
- Integration boundary testing
Lateral Movement
Techniques to move through the AI environment and connected systems.
| Technique | Description |
|---|---|
| Remote Services | Testing movement through SSH/RDP to AI infrastructure |
| Cloud Service Dashboard | Assessing lateral movement via cloud management consoles |
| Software Deployment Tools | Evaluating abuse of CI/CD pipelines for AI models |
| Taint Shared Content | Testing propagation through shared models and datasets |
| Use Alternate Authentication Material | Assessing movement using stolen tokens and keys |
Testing Approach:
- Cross-system access testing
- Model pipeline exploitation
- Service integration boundary assessment
Collection
Techniques for gathering information of interest from AI systems prior to exfiltration.
| Technique | Description |
|---|---|
| Data from Information Repositories | Testing extraction of training datasets and model artifacts |
| Data from Cloud Storage | Assessing theft of cloud-hosted models and datasets |
| Screen Capture | Evaluating capture of AI dashboard and monitoring interfaces |
| Automated Collection | Testing systematic extraction of AI assets and configurations |
| Archive Collected Data | Assessing preparation and staging of stolen AI resources |
Testing Approach:
- Training data extraction attempts
- PII leakage testing
- System prompt recovery evaluation
- Historical data access assessment
Command and Control
Techniques for communicating with and controlling compromised AI systems.
| Technique | Description |
|---|---|
| Application Layer Protocol | Testing covert channels through AI API endpoints |
| Data Obfuscation | Assessing hidden communications in legitimate AI traffic |
| Dynamic Resolution | Evaluating use of dynamic infrastructure for C2 |
| Web Service | Testing command channels through legitimate cloud services |
| Encrypted Channel | Assessing use of encryption to hide malicious communications |
Testing Approach:
- Covert channel detection
- Instruction injection evaluation
- State manipulation assessment
Exfiltration
Techniques for stealing models, data, and intellectual property from AI systems.
| Technique | Description |
|---|---|
| Exfiltration Over C2 Channel | Testing data theft through established command channels |
| Exfiltration Over Web Service | Assessing use of legitimate services for data transfer |
| Automated Exfiltration | Evaluating systematic model and dataset extraction |
| Transfer Data to Cloud Account | Testing exfiltration to attacker-controlled storage |
| Exfiltration Over Physical Medium | Assessing theft via removable media or local access |
Testing Approach:
- Model extraction resistance testing
- Data leakage prevention evaluation
- Knowledge boundary assessment
Impact
Techniques to disrupt, corrupt, or destroy AI systems and operations.
| Technique | Description |
|---|---|
| Data Destruction | Testing deletion of critical models and training datasets |
| Data Encrypted for Impact | Assessing ransomware attacks targeting AI assets |
| Service Stop | Evaluating disruption of AI inference and training services |
| Resource Hijacking | Testing cryptomining or compute theft using AI infrastructure |
| Data Manipulation | Assessing integrity attacks on models and training data |
Testing Approach:
- Behavior hijacking evaluation
- Resource exhaustion testing
- Harmful content generation assessment
- Reputation risk evaluation
See Also
- OWASP LLM Top 10 - Security vulnerabilities
- NIST AI RMF - Risk management framework
- EU AI Act - Cybersecurity requirements