A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot at Thales. They know cybersecurity can be tough and you can't protect everything, but with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas T H A L E S learn more@talasgroup.com cyber hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts and tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

A

So we tried to approach it in a way where we have kind of multimodal attacks. It's not just a simple prompt injection now that we have the, I guess, influence of agentic AI, right? So we have agents that can do web searches, can look at the Google Drive, look at your email. This kind of brings in that traditional cybersecurity factor there. What are the security boundaries? Right.

B

That's Amanda Russo, principal AI security researcher from Stryker. The research we're discussing today is titled the Silent Exfiltration zero click agentic AI hack that can leak your Google Drive with one email.

A

So we wanted to look into how can we cross those security boundaries through just prompts, either indirect prompts or direct prompts.

B

So the term silent exfiltration, what are we talking about with that?

A

So with silent exfiltration, say you have an agent connected to your email or your Google Drive and you say, hey, can you summarize all of my email? Can you summarize the documents that are in my Google Drive, or can you help me search for one? And as it's going through doing those summaries, it's going to be looking at the text content and in that text content there's going to be indicators for part parsing or even prompt indicators that it will automatically pick up. And this is not something that the agent intended to do. This is kind of part of that excessive agency that we mentioned in the blog. So it'll automatically look at the content there and try to run Python's code, try to use the prompt. So a lot of these things is trying to figure out input, sanitization or putting guardrails around what kind of content is actually consuming.

B

Well, you will refer to this as a zero click hack. What's so alarming about that particular aspect of it?

A

Yeah, so something with zero click. Say you have your agent connected and you get an email or a Google Drive document that has a prompt injection in there and you were to say, hey, summarize all of my email, it will go in. And even though you weren't intending to access that malicious email or a malicious document, it'll automatically exfiltrate either all your email, all your Google Drive documents out to a C2 or collection server without your knowledge. It'll all do it on the back end where the agent is processing.

B

And is this sort of the fundamental issue with agentic AI that it seems to me like it sort of takes down the borders between the various apps on your system?

A

Right, right. There's no rules, there's no rule detection. Like there is like a WAF or something. It's all about coercion or asking it to do something that it normally doesn't do, relying on its parsing failures, trying to deceive it, like say you want to do a role play or something and it'll try to get around those guardrails so it's no longer like a cut and dry, traditional cybersecurity or antivirus rule. There's going to be a lot more changes in how we protect these things.

B

What makes email such a powerful vector in this particular case?

A

Well, you are at the mercy of the email filtering for that particular provider. Right. If there is email that is coming through and it's getting summarized by your AI agent, there's no extra guardrail there saying, hey, I shouldn't look at my spam email, I shouldn't look at the content in this email. Or maybe it doesn't have an external indicator that it's from an external party. Maybe it was an insider. You don't have that human element of discerning between a good email and a bad email. And I don't think we're at the point yet where we have email rules that filter prompt injections. Not yet.

B

Can you help me understand the potential scope of this, I mean, let's say I'm the bad actor and I put some sort of a prompt injection in an email that I send to you. Is the sky the limit here on what I can do on your machine or where do you suppose the edges are?

A

What capabilities does the agent have? Can it do web search? Can it access the web? Can it do post request and get requests? Can it do Python code execution? Can it make documents? Can it have access to the file system? So a lot of these are where the security boundaries are and how much you allow that agent to perform those things. So for instance, you know, even though it was unattended that you wanted to execute Python, you know, is it possible to do like a Python interpreter breakout through just like a prompt injection from an email and then you could own the whole, you know, backend system there. It's kind of marriaging between traditional cybersecurity like hardening for these tools that the agent is using and on top of that from the AI side is having those guardrails to recognize when it's being abused.

B

Well, in your research, to what degree is this speculative or potential and how much have you actually tried it out and seen how effective it can be?

A

From the the blog? This is actually our work making these red teaming scenarios both in enterprise and in our research lab. There's only so much we can talk about publicly, but a lot of this comes from real life attacks that we've administered ourselves.

B

I see, what are your recommendations then? I mean, how do folks best protect themselves against this sort of thing?

A

Yeah, it's going to be how much do you trust that AI agent? Right. In an enterprise environment, are you going to have some type of guardrails around the traces of the AI through its conversations, similar to the product that we're trying to push out? And also, have you really taken a look at hardening the tools that it's using? Are you putting your code interpreter into a properly hardened sandbox or container? You know, what type of request do you allow for web searches? Are there any guardrails about inputs and capabilities for touching documents and emails? Can it send emails? Can you delete emails? You know, it's possible that you can get an email that says delete all emails. Right. But if you don't have that, that guardrail in there that says no, we won't allow the AI agent to delete anything. You know, it's all about how you configure that.

B

We'll be right back at Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most, applications, data and identity. That's Talas T H A L E S learn more@thalesgroup.com Cyber.

C

This episode is brought to you by State Farm. Checking off the boxes on your to do list is a great feeling. And when it comes to checking off coverage, a State Farm agent can help you choose an option that's right for you. Whether you prefer talking in person on the phone or using the award winning app, it's nice knowing you have help finding coverage that best fits your needs. Like a good neighborhood, State Farm is there.

B

Yeah. It strikes me that email is. It's such an interesting vector because you get incoming stuff from all sorts of different places. They're not really vetted ahead of time and I suppose you do have filtering for spam and so on, but it's an odd thing on our computers where we kind of let stuff come in. Right. And in this case through the agentic AI, we're enabling the activation of other actions through what previously had been just sort of a benign function of email. Am I on the right track there?

A

Yeah. Yes. So it's not necessarily like a click, like cut and dry. I click a button, it does that thing. It's now like conversation. Social engineering, traditional social engineering with an AI agent, at least from my point of view, coming from the security background.

B

Yeah. Where do you suppose we're headed with this? I mean, you can see the potential benefits of agentic AI, but there's this flip side, right?

A

Yes, yes. And you know, with any new technology, there's going to be the downsides. Right. It's growing pains with trying to secure it. So we're moving so fast that now we have. Right. More solutions out there to help protect or add guardrails to these things. The best thing to do is jump on it early, do an assessment of how you're using your agentic AI and try to get that set up before something else happens. Like you have complete exfiltration of your internal infrastructure. Right.

B

Well, help me understand what that looks like, what the limitations look like. In other words, am I putting limits on the agentic AI itself or is this another security layer that goes on top to keep an eye on the agentic AI or is it a mix of all those things?

A

I think it's going to be layered. It's going to be a mix of all those things. You're going to have to have some type of logging. If you're an incident responder, how are you going to figure out how the exfiltration happened? Right. Are you going to be following the tools? Are you going to be following the AI traces? Are you going to be looking at the person who's actually doing it? All of these things, there's gotta be data somewhere. Right. And you gotta make sure you have that in your infrastructure. On top of that there's like layers of security based off the tools that it's using or your MCP servers or whatever it has access to. And then you have the AI layer, which is the AI related guardrails for using those tools.

B

I'm curious, as a security professional, how are you looking at all this? What's your outlook here? How do you feel?

A

How do I feel? When I moved over to this company, it was an opportunity for me to explore the AI space, but bringing my security background and I feel like it's the wild, wild west, to be honest. It's a lot of traditional security concerns in this type of infrastructure. Like recently I just got a sandbox escape with Python interpreter. So. And it was just through conversation. Right. So for me it's like, it's, it's like a fun puzzle, like how can I trick the AI today on how I can get to where I want?

B

Right, right. And at the same time it's, it seems to me like as you say, it's the wild west, but there's this huge green field where we don't know what we don't know so far. So I suppose there's excitement in that realm of discovery, but at the same time a little trepidation. At the same time.

A

Yes, yes. It's both scary. It makes me realize like if I were to implement my own agent, how would I protect it if I'm just using it for personal research? And then if just imagining in an enterprise it's like, man, I'm going to have to look at the whole infrastructure to make sure that this thing is safe. So it's just an unexplored field. And I feel like there can be a lot of new research and new discoveries in this area.

B

Yeah. It also strikes me that the people who would benefit from this sort of thing, I could imagine the early adopters of agentic AI being high level executives because their time is so valuable. But at the same time, they're the ones who have the keys to the kingdom.

A

Yes, yes, it does save you time for sure. But at the same time, you know, with speed, there's also going to be a cost for security. Right. So we definitely need to jump on that now. And I feel like this is the era of where agentic security is just blooming.

B

And so what is available out there for folks right now who are curious about agentic AI? What are the offerings that are out there to help protect them in these early days?

A

Yeah, I mean with Stryker, we have a lot of companies that are in the same industry. They're going to be about prompt injection protections, guardrails. But for agentic AI, it's going to be a layering for folks that have that traditional security background and then you working with someone who's in AI, who knows the AI side, and that's pretty much what my team is made up of, is that mixture of traditional security folks and AI folks. I don't know if there's a true end all solution yet because it's just starting.

B

Right.

A

And everybody's going to implement their own framework. There's so many MCP servers out there that haven't been scanned, haven't been looked at yet. Do we just roll in with any MCP server and put in our agent? We don't know what it does.

B

Right.

A

So there's kind of like, are we going to have going down the line, are we going to have to sign MCP servers? Are we sign tools that we know that are good? How do we track their supply chain as well?

B

Right. I also try to imagine the out of the box offering of this for the mere mortal, every normal computer user who wants to take advantage of this sort of thing. It's hard to imagine what that's going to look like in an effective way to put meaningful guardrails on them.

A

Right, right. And I would say the larger AI agentic offerings are probably going to have that infrastructure to do those guardrails and they have teams that constantly fix these problems. But when you get into the smaller, like I'm going to roll my own Ollama GPT, OSS or Llama 2 or whatever. And you do that locally, you don't have that capability to put in guardrails. Like what do you do then? So I think it's all about picking and choosing your battles there, or just throw it all into a sandbox, you know.

B

Right, right. Well, I mean, looking back at the research here, what do you hope that people come away from having read it.

A

What I hope to come away with is I want AI researchers, both the people developing and the people protecting, to realize that it's not just, it's not just prompt injections anymore. It's going to be multimodal multi turn attacks. So one of the things I found is that if you do multi turn attacks, it's easier to extract information out of there rather than just one end all be all prompt. So it's not just this cut and dry. I tried a social engineer with one prompt. No, it's going to be multiple different routes depending on what capabilities that agent has to craft these attacks. And you're just going to have to put a layer on every part of it. A layer of security on every part of it.

B

Yeah. And if there's one thing we know about adversaries is that they have patience. Yeah. So can you give me an idea of what the spectrum of offerings are out there? What sort of tools are available to people right now?

A

Well, you know, with my company, obviously our product focuses on solving these problems. There are others like us out there that you can look for similar solutions. But you know, we really strive to look at agentic AI as a whole and solve a lot of these security problems.

B

So Amanda, what is the best way for folks to find out more about this reaching out online?

A

Yeah, so on our blog at Stryker AI and that's S T R A I K E R AI we have a lot more research that we've been putting out, more topics about agentic AI. So if you have any more questions, you know they can reach out and ask us directly and we'll be happy to answer those.

B

Our thanks to Amanda Russo from Stryker for joining us. The research is titled the Silent Exfiltration. Zero click Agentic AI hack that can leak your Google Drive. With one email, we'll have a link in the show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwirent. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

A

It's Monday morning, your team just finished a meeting, and yet people still aren't sure about the next steps. Todoist helps small teams get organized without the setup headache. See what's due, who's doing what, and what's falling behind all in one calm, shared workspace. Try Todoist free and bring some clarity to your chaos. Visit todoist.com.