Skip to content

L2.3.2 — ATLAS tactics: the AI kill chain

Type: Theory · Duration: ~5 min · Status: Mandatory Module: Module 2 — AI Security Foundations Framework tags: MITRE ATLAS (tactics layer)

Learning objectives

  1. Recall the 14 ATLAS tactics in kill-chain order.
  2. Identify which tactics are unique to ATLAS (vs. inherited from ATT&CK).

Core content

The 14 ATLAS tactics in kill-chain order

1.  Reconnaissance                  ← gather info about targets
2.  Resource Development            ← build/acquire attack capabilities
3.  Initial Access                  ← get a foothold
4.  ML Model Access                 ★ AI-specific
5.  Execution                       ← run code
6.  Persistence                     ← maintain access
7.  Privilege Escalation            ← gain higher access
8.  Defense Evasion                 ← avoid detection
9.  Credential Access               ← steal creds
10. Discovery                       ← internal recon
11. Collection                      ← gather data
12. ML Attack Staging               ★ AI-specific
13. Exfiltration                    ← move data out
14. Impact                          ← deliver the payload

Two stars highlight the AI-specific tactics: ML Model Access (T4) and ML Attack Staging (T12). The rest are inherited from ATT&CK with AI-specific techniques added under them.

The two AI-specific tactics

ML Model Access (AML.TA0005). The adversary is trying to obtain access to a target model. Techniques include obtaining inference API access, downloading public model weights, observing model outputs through a product, or compromising a model registry. This is the tactic that often precedes everything else AI-specific — you cannot extract, poison, or evade a model you can't talk to.

ML Attack Staging (AML.TA0007). The adversary is preparing the AI-specific attack. Techniques include crafting adversarial examples, building a substitute model for transferability attacks, preparing poisoned training data, or developing a prompt-injection payload. Staging happens before Execution; it's the AI analog of weapon development.

Walking the chain with one example

A query-based model extraction attack against a closed-API LLM:

# Tactic Specific technique
1 Reconnaissance Identify target model via behavioral fingerprinting
2 Resource Development Pay for API access, write extraction script
4 ML Model Access Obtain inference API access (AML.T0040)
12 ML Attack Staging Generate diverse query set; collect responses
11 Collection Aggregate input/output pairs
13 Exfiltration Export collected pairs to attacker storage
14 Impact Train substitute model; bypass licensing/IP

Notice: this chain skipped tactics 5–10 entirely. Many AI-specific chains do — they don't need Execution or Privilege Escalation in the classical sense because the "execution" surface is the model's inference API, which the attacker reaches legitimately. This is what makes AI attacks structurally different from classical ones; the attacker is often a paying customer.

What this lets you do

For any AI system, you can now: - List the realistic chains an attacker would walk. - Place a defense at each step of each chain (mostly at ML Model Access and ML Attack Staging for the AI-specific portion). - Tag findings with technique IDs that map cleanly into your threat model, your red-team plan, and your detection rules.

This is the use of ATLAS, and it's what lab L2.6 exercises.

Real-world example

The PoisonGPT incident chain in ATLAS terms: Resource Development (fine-tune a small model on doctored facts) → ML Attack Staging (publish under a near-name typosquat) → ML Model Access for victims (anyone who downloads it) → Impact (downstream apps emit confidently-false statements). Four tactics, no Execution or Privilege Escalation tactics traversed at all. Pure supply-chain + staging.

Key terms

  • AI kill chain — the ATLAS-ordered sequence of tactics an adversary moves through.
  • Substitute model — a model trained on the target's input/output pairs, used as a transferability proxy.
  • Transferability — the empirical property that adversarial inputs designed against one model often work against another.

References

  • ATLAS Matrix — https://atlas.mitre.org/matrices/
  • ATLAS AML.TA0005 (ML Model Access) — https://atlas.mitre.org/tactics/AML.TA0005
  • ATLAS AML.TA0007 (ML Attack Staging) — https://atlas.mitre.org/tactics/AML.TA0007

Quiz items

  1. Q: Name the two ATLAS-unique tactics. A: ML Model Access and ML Attack Staging.
  2. Q: Why do many AI attack chains skip tactics 5 (Execution) and 7 (Privilege Escalation)? A: Because the attacker reaches the inference API legitimately (often as a paying customer), so classical "execution" and "privilege escalation" aren't required to land impact.

Video script (~620 words, ~4.5 min)

[SLIDE 1 — Title]

ATLAS tactics. The AI kill chain. Five minutes. By the end you'll know the fourteen tactics, which two are AI-unique, and how a real chain reads.

[SLIDE 2 — The 14 tactics]

Fourteen tactics in kill-chain order. Reconnaissance. Resource Development. Initial Access. ML Model Access — star, AI-specific. Execution. Persistence. Privilege Escalation. Defense Evasion. Credential Access. Discovery. Collection. ML Attack Staging — star, AI-specific. Exfiltration. Impact. Two starred. The rest are inherited from ATT&CK with AI-specific techniques added underneath.

[SLIDE 3 — ML Model Access]

ML Model Access. AML.TA0005. The adversary is trying to obtain access to a target model. Techniques include obtaining inference API access. Downloading public model weights. Observing model outputs through a product. Compromising a model registry. This tactic often precedes everything else AI-specific. You can't extract, poison, or evade a model you can't talk to.

[SLIDE 4 — ML Attack Staging]

ML Attack Staging. AML.TA0007. The adversary is preparing the AI-specific attack. Crafting adversarial examples. Building a substitute model for transferability. Preparing poisoned training data. Developing a prompt-injection payload. Staging happens before Execution. It's the AI analog of weapon development.

[SLIDE 5 — Walking a chain]

One concrete chain. Query-based model extraction against a closed-API LLM. Reconnaissance: identify the target model via behavioral fingerprinting. Resource Development: pay for API access, write extraction script. ML Model Access: obtain the inference API. ML Attack Staging: generate a diverse query set, collect responses. Collection: aggregate input/output pairs. Exfiltration: export. Impact: train a substitute model.

[SLIDE 6 — What's notable about that chain]

What's notable. This chain skipped tactics 5 through 10 entirely. No Execution. No Privilege Escalation. No Credential Access. No Discovery. Many AI-specific chains do. They don't need classical Execution because the "execution" surface is the model's inference API, which the attacker reaches legitimately. The attacker is often a paying customer. This is what makes AI attacks structurally different from classical ones. The kill chain is shorter and starts much later.

[SLIDE 7 — What this lets you do]

What this lets you do. For any AI system, you can list the realistic chains an attacker would walk. Place a defense at each step of each chain — mostly at ML Model Access and ML Attack Staging for the AI-specific portion. Tag findings with technique IDs that map cleanly into your threat model, your red-team plan, and your detection rules. This is the use of ATLAS. It's what the L2.6 lab exercises.

[SLIDE 8 — PoisonGPT in ATLAS]

PoisonGPT incident chain in ATLAS terms. Resource Development — fine-tune a small model on doctored facts. ML Attack Staging — publish under a near-name typosquat. ML Model Access for victims — anyone who downloads it. Impact — downstream apps emit confidently-false statements. Four tactics. No Execution or Privilege Escalation tactics traversed at all. Pure supply-chain plus staging. The shape of these chains is different from classical incidents, and that difference is the value ATLAS adds.

[SLIDE 9 — Up next]

Last ATLAS lesson next. We'll look at how to read a technique page, what's in a case study, and how to use them in your day-to-day work. See you there.

Slide outline

  1. Title — "ATLAS tactics: the AI kill chain".
  2. The 14 tactics — vertical timeline with two starred boxes (ML Model Access, ML Attack Staging).
  3. ML Model Access — dedicated slide: large heading, 4 sample techniques as cards.
  4. ML Attack Staging — dedicated slide: same shape.
  5. Walking a chain — left-to-right chain diagram of the extraction attack with tactic labels.
  6. What's notable — same chain re-drawn with skipped tactics greyed out.
  7. What this lets you do — three-bullet capability list with arrows to "threat model / red-team plan / detection rule."
  8. PoisonGPT in ATLAS — four-tactic chain diagram for PoisonGPT.
  9. Up next — "L2.3.3 — Reading ATLAS techniques and case studies, ~5 min."

Production notes

  • Recording: ~4.5 min. Cap 5.
  • Slide 5 (the extraction-chain walk-through) is the visual anchor. Worth animating step-by-step.