Brett Hawkins
Brett Hawkins has been in Information Security for several years working for multiple Fortune 500 companies across different industries. He has focused on both offensive and defensive disciplines, and is currently on the Adversary Services team at IBM X-Force Red. He holds several industry recognized certifications, and has spoken at several conferences including Black Hat (US and EU), BlueHat, ShmooCon, DerbyCon, Wild West Hackin' Fest, BSides, and Hackers Teaching Hackers. Brett is also a member of the open-source community, as he has contributed to or authored various public tools, such as SharPersist, DueDLLigence, SCMKit, ADOKit, MLOKit and InvisibilityCloak.
Session
Artificial Intelligence (AI) is quickly becoming a strategic investment for companies of all sizes and industries such as automotive, healthcare and financial services. To fulfill this rapidly developing business need, machine learning (ML) models need to be developed and deployed to support these AI-integrated products and services via the machine learning operations (MLOps) lifecycle. The most critical phase within the MLOps lifecycle is when the model is being trained within an ML training environment. If an attacker were to gain unauthorized access to any components within the ML training environment, this could affect the confidentiality, integrity, and availability of the models being developed.
This research includes a background on ML training environments and infrastructure, along with detailing different attack scenarios against the various critical components, such as Jupyter notebook environments, cloud compute, model artifact storage, and model registries. It will be outlined how to take advantage of the integrations between these various components to facilitate privilege escalation and lateral movement, as well as how to conduct ML model theft and poisoning. In addition to showing these attack scenarios, it will be described how to protect and defend these ML training environments.