MITRE ATT&CK Navigator: A Practical Threat Modeling Workflow for LLMjacking and AI Security

Executive Summary: As large language models (LLMs) become central to enterprise and government operations, they also emerge as high-value targets for adversaries. "LLMjacking"—the unauthorized hijacking of LLM resources via credential theft, API abuse, or cloud misconfigurations—poses a rapidly growing threat, as highlighted in recent intelligence reports. To counter this, organizations must adopt a structured threat modeling approach grounded in real-world adversary behavior. The MITRE ATT&CK Navigator provides a flexible, visualization-driven framework to map, analyze, and prioritize threats against AI systems. This article outlines a practical workflow for using the MITRE ATT&CK Navigator to model LLMjacking threats, integrate OSINT intelligence, and inform detection and response strategies within the broader context of evolving AI security threats.

Key Findings

LLMjacking is an emerging attack vector leveraging stolen credentials, API abuse, or cloud misconfigurations to hijack LLM resources for data exfiltration, inference manipulation, or resource consumption.
The MITRE ATT&CK Framework, particularly the Navigator, enables organizations to systematically map adversary tactics and techniques relevant to AI systems, including those leveraged in LLMjacking.
Threat modeling with ATT&CK supports proactive risk assessment, detection engineering, and incident response planning for AI security programs.
OSINT sources, such as intelligence on APT groups, ransomware, and botnets, enrich ATT&CK-based threat models by providing real-world context on active threat actors and campaigns.
Integrating AI-specific security guidance—such as OWASP LLM Top 10 and Certified AI Security Professional (CASP) frameworks—enhances the relevance and depth of ATT&CK-based threat modeling.

Understanding LLMjacking in the Threat Landscape

LLMjacking refers to the unauthorized takeover or exploitation of large language models (LLMs), their APIs, or the underlying compute infrastructure. Attackers may gain access via compromised credentials, exposed API keys, or misconfigured cloud environments. Once inside, adversaries can misuse LLMs for malicious inference, data extraction, prompt injection, or even turn them into covert command-and-control (C2) channels. This threat has been flagged in recent intelligence reports as a fast-growing vector, particularly in enterprise and government sectors where LLMs are integrated into critical workflows.

In parallel, Germany’s 2024 cybersecurity report highlights the proliferation of ransomware groups, botnets, new malware variants, and advanced persistent threats (APTs)—many of which now target cloud and AI infrastructure. These threats often overlap with LLMjacking, as access brokers sell stolen cloud credentials that can be used to compromise AI services. Thus, modeling LLMjacking requires situating it within the broader matrix of cyber threats affecting modern IT environments.

The MITRE ATT&CK Framework as a Foundation for AI Security

The MITRE ATT&CK Framework is a globally recognized knowledge base of adversary tactics, techniques, and procedures (TTPs). Originally designed for enterprise IT environments, it has been extended to cover cloud services, containers, and increasingly, AI and machine learning systems. The MITRE ATT&CK Navigator is a web-based tool that allows organizations to visualize and customize ATT&CK matrices, enabling interactive threat modeling, prioritization, and collaboration.

For AI security, ATT&CK provides a structured way to:

Map adversary behaviors specific to AI systems (e.g., credential abuse, model poisoning, data exfiltration via API).
Identify gaps in detection and response capabilities.
Align security controls with real-world threats.

By leveraging ATT&CK, security teams can move from reactive to proactive defense—anticipating how attackers might abuse or subvert LLMs before an incident occurs.

Practical Workflow: Threat Modeling LLMjacking Using ATT&CK Navigator

Step 1: Define the AI System Scope

Begin by clearly defining the boundaries of the AI system under analysis. For LLMjacking, this includes:

LLM endpoints and APIs (e.g., REST, GraphQL, or proprietary inference APIs).
Authentication mechanisms (OAuth, API keys, short-lived tokens).
Underlying infrastructure (cloud instances, Kubernetes clusters, container registries).
Data pipelines (prompt logs, training data, model weights, fine-tuning datasets).

This scope reflects the attack surface targeted in LLMjacking campaigns, where credentials to any of these components can lead to full system compromise.

Step 2: Select and Customize the ATT&CK Matrix

Use the MITRE ATT&CK Navigator to load the appropriate matrix—likely the Enterprise ATT&CK framework with cloud and container extensions. Customize the matrix by:

Focusing on relevant tactics such as:

Initial Access (e.g., T1078 – Valid Accounts, T1133 – External Remote Services)
Credential Access (e.g., T1555 – Credentials from Password Stores, T1528 – Steal Application Access Token)
Persistence (e.g., T1098 – Account Manipulation, T1542 – Pre-boot Authentication) – relevant if attackers maintain access via hijacked API keys
Execution (e.g., T1059 – Command and Scripting Interpreter via API calls)
Exfiltration (e.g., T1041 – Exfiltration Over C2 Channel, T1567 – Exfiltration Over Web Service)

Adding custom techniques where standard ATT&CK entries are insufficient—e.g., Prompt Injection (AI-specific) or Model Poisoning via Training Data Tampering.
Labeling techniques with risk scores (e.g., likelihood × impact) to prioritize modeling efforts.

Step 3: Enrich the Model with OSINT Intelligence

OSINT provides critical context on active adversaries and campaigns. Integrate intelligence from sources such as:

APT group profiles (e.g., APT29, APT41) known to target cloud and AI environments.
Botnet and access broker reports detailing credential sales on dark web markets.
Ransomware and malware variant analyses that include cloud API abuse.
Academic and industry research on LLM security, such as the OWASP LLM Top 10 or CASP guidance.

Map these intelligence feeds to ATT&CK techniques. For example, if a recent report shows an APT group using stolen OAuth tokens to access Azure-hosted LLMs, tag the relevant ATT&CK techniques (T1078, T1528) with a high severity and link to the intelligence source.

Step 4: Conduct Collaborative Threat Modeling Sessions

Use the ATT&CK Navigator in workshop-style sessions with red teams, cloud security, and AI engineers. The tool’s collaborative features allow teams to:

Annotate techniques with attack scenarios specific to LLMjacking (e.g., "Attacker uses stolen API key to generate synthetic prompts for data exfiltration").
Assign ownership for mitigations and detections.
Visualize coverage gaps across tactics—e.g., limited monitoring for unauthorized API calls.

This collaborative approach ensures both technical depth and cross-functional alignment.

Step 5: Translate Model into Detection and Response Strategies

The completed ATT&CK-based threat model becomes the blueprint for security operations:

Detection Engineering: Develop SIEM queries, EDR rules, or API gateway logs to detect ATT&CK-mapped behaviors (e.g., unusual inference request volumes, geolocation anomalies, API key rotation without user action).