CloudShieldAI

LLM agents autonomously identify and exploit cloud security vulnerabilities in existing systems, offering dynamic analysis, attack path exploration, and comprehensive reports for robust protection.

Comment

Inspiration

Cloud security is a critical issue in today's digital landscape, with billions of dollars lost annually due to misconfigurations and resulting cyber attacks. The release of technologies like ChatGPT has led to an estimated 85% increase in cyber attacks. Traditional symbolic methods do not scale well due to the complexity of cloud environments, which involve hundreds of thousands of access policies defining users, roles, datastores, and more. The dynamic nature of these policies—such as adding new contractors for temporary data access—further complicates tracking changes and verifying access. Each policy permits or restricts actions, and AWS alone offers thousands of actions to choose from. This creates significant room for attackers to devise strategies for data exfiltration or ransomware attacks, with new strategies emerging frequently.

What it does

CloudShieldAI leverages the power of LLM agents to autonomously identify vulnerabilities dynamically. As new users and policies are added to the cloud, our agents analyze current permissions and autonomously define sequences of attack actions. Specifically, our agents:

  1. Explore the direct and indirect paths from a user to all data stores.
  2. Analyze whether the data in the data stores is sensitive.
  3. Attempt to perform data exfiltration and ransomware attacks (in parallel) from the user's perspective.
  4. Generate a comprehensive report detailing all findings and strategies to patch the vulnerabilities.

Ultimately, CloudShieldAI provides a detailed report that analysts can use to ensure security.

How we built it

  1. Localstack: Used to simulate AWS services locally for development and testing.
  2. Boto3 APIs: Implemented logic to generate random synthetic data of users, roles, groups, datastores, their connections, and permissions, as cloud security datasets are not usually publicly available. We used boto3, the official AWS SDK for Python, to interact with AWS services.
  3. CrewAI: Defines and orchestrates our six agents. We implemented various "Tools" that interact with the cloud environment using boto3 to perform different actions.
  4. ChatGPT: Assisted in generating the correct API calls for boto3 and refactoring the code.

Challenges we ran into

  • Building Synthetic Datasets: Creating datasets that are not entirely random but enforce rules and allowable actions, adding complexity.
  • Debugging Boto3 API Calls: Ensuring LLM agents correctly interpret and handle the return objects from boto3 API calls was challenging.
  • Agent Coordination: Connecting different agents in asynchronous/synchronous modes and managing cache/states was initially difficult as we are new to CrewAI. With CrewAI's support, we managed to make our architecture work as designed.

Accomplishments that we're proud of

Our agents can interact with the cloud environment using real tools for newly created users. They make intelligent decisions to perform attacks, demonstrating their ability to autonomously identify and exploit vulnerabilities. They autonomously perform ransomware and data exfiltration attacks (in parallel), then synchronize to produce a final report with actionable items on how to fix the vulnerabilities found.

What we learned

We discovered that LLMs can effectively "guess an attack plan" based on contextual information, execute it, and autonomously recover and learn from incorrect actions. This capability is incredibly impressive and highlights the potential for AI in cybersecurity.

What's next for CloudShieldAI

  • Expand Abilities of LLM Agents: Implement more tools connected with symbolic logic and integrate these with the LLMs.
  • Real-time Monitoring: Develop features for real-time monitoring and alerting for policy changes, currently experimenting with LangGraph.
  • Broader Simulations: Simulate a wider range of configurations and attack scenarios to cover more potential vulnerabilities.
  • Collect Data: Continuously generate configurations, exploit them, and collect datasets to fine-tune models or build our own, which will be cost-effective.

Built With

  • boto3
  • crewai
  • localstack
Share this project:

Updates