I just completed the TryHackMe AI Threat Modelling room and it's a gold mine of information. This room exposes you to every phase of threat modeling through the lens of AI and discusses how one of the most prominent approaches still falls short of classifying all parts of the AI attack surface. The room introduced me further to the STRIDE-AI framework and the MITRE-ATLAS technique catalog. Both of which combined can help craft answers to the questions "what" and "how". The STRIDE-AI framework, as deemed by this room, helps indicate what kind of threat is present. MITRE-ATLAS gives details on the "how" through its list of tactics, techniques and procedures.
The room also covers the OWASP Top 10 for LLMs and how that assigns risks to the different components of the AI attack surface. This is something I'd seen previously, but never went through the exercise of mapping it to the exact part of the AI architecture that could be impacted by these identified risks. This part of the room really hit home. That "ah-ha" moment happened in this part of the room. So by the end, my eyes were wide with 395,526,625 thoughts realizing that I just went through the entire threat modeling workflow:
1) Identifying the AI asset attack surfaces
2) Understand the supply chain of the application (data, model, etc)
3) STRIDE-AI
4) MITRE-ATLAS
5) OWASP Top10 for LLMs to AI Asset Risk Mapping
6) Priorize and Report
10/10 HIGHLY Recommend you join this room to learn more: https://tryhackme.com/room/aithreatmodelling
Top comments (0)