Close Menu
    Business cybersecurity strategies

    Securing an Exponentially Growing (AI) Supply Chain

    HackWatchitBy No Comments4 Mins Read
    Securing an Exponentially Growing (AI) Supply Chain

    The global AI race is in full swing, and its battleground? HuggingFace

    It took eight years for the platform to reach 1 million models, but only 9 months later, this figure will likely double (1.8 million at the time of writing).

    Model providers of all origins – public and private, domestic and foreign, trusted and unverified – are leveraging the open-source platform to reach developers directly, creating a deluge of state-of-the-art AI for countless domains (including cybersecurity).

    With an open-source AI supply chain comes AI supply chain risks, as mentioned in our February discussion on the three pillars of this growing attack surface:

    • Software (software library vulnerabilities, AI framework vulnerabilities)
    • Model (embedded malware within model files, architectural backdoors)
    • Data (poisoning during training processes, licensing and compliance issues)

    Bringing AI Supply Chain Security to Cisco

    To help organizations eliminate these risks automatically, the Foundation AI threat intelligence team has produced Cerberus, a 24/7 guard for the AI supply chain. Cerberus analyzes models as they enter HuggingFace, sharing results in standardized threat feeds that Cisco Security products use to build and enforce granular access policies for the AI supply chain.

    In February, we announced our integration with Cisco Secure Endpoint and Secure Email to enable automatic blocking of known malicious files during read/write/modify operations as well as email attachments containing malicious AI Supply Chain Security artifacts as attachments.

    In June, we announced our integration with Cisco Secure Access Secure Web Gateway to add the following enhancements:

    • Block downloads of potentially compromised AI models – Cisco continuously scans public repositories like Hugging Face for malicious code and vulnerabilities within AI model files. When potential threats in a repository are detected, download access for those files is revoked.
    • Check for license compliance – Detect and block AI models with risky or restrictive open-source software licenses—such as copyleft licenses like GPL—that pose intellectual property (IP) and compliance risks. This helps to ensure legal adherence and avoids inadvertent IP violations.
    • Block downloads of models from non-approved sources – Flag and enforce policies on AI models that originate from unapproved vendors, e.g., from geopolitically sensitive regions (e.g., DeepSeek). Maintain compliance and mitigate potential risks based on potential geopolitical liabilities.

    How it Works

    AI supply chain risk management

    Cerberus watches HuggingFace directly in a continuous, automated cycle:

    • Hugging Face sends Cerberus notifications about model and data repository updates
    • Cerberus scans these updated repositories for potential risks. 
      • Any detected risks are compiled into a report, alongside provenance metadata (e.g., file hashes, CDN routes).
    • Threat feeds containing the latest reports are fed directly to our partners within Cisco’s Security Business Group.

    Our standardized threat feeds automatically enrich existing alerting and policy creation within Cisco Security products – no manual intervention required.

    What Types of Risk Are Covered?

    Cerberus utilizes a combination of metadata analysis, sandboxing, pickle file inspection, and other techniques to check for risks including, but not limited to:

    • Code Execution: Attempting to run code, usually during the object deserialization process (e.g., via builtins.eval or even pwntools)
    • Architectural Backdoors: Attempting to leverage architectural flexibility to run code (e.g., Keras Lambda layer)
    • System Access: Attempting to gain control of the parent system (e.g., via posix).
    • Network Access: Attempting to communicate with external clients, likely to exfiltrate data or establish a remote-control channel (e.g., via fabric.connection or twisted.internet)
    • Obfuscation Vulnerabilities: Attempting to obfuscate code, likely to avoid detection (e.g., nested pickling via torch.serialization)
    • Compliance: Licenses with risky or restrictive clauses (e.g., GPL).
    • Prohibited Suppliers: Providers that originate from geopolitically sensitive regions, which could cause liability issues with customers.

    How are Policies Enforced?

    Our integrations with Cisco Security products provide multiple enforcement points:

    • Secure Access Secure Web Gateway (SWG) blocks users attempting to download potentially compromised models directly from HuggingFace.
    • Secure Email blocks emails containing potentially compromised models as attachments.
    • Secure Endpoint protects the end user’s filesystem by blocking read/write/modification to potentially compromised models.

    Staying Ahead of Emerging Threats

    Rapid global competition at every level of the AI value chain is creating countless opportunities for organizations. It follows that cybersecurity practitioners must operate with even more speed and leverage to keep up with all the new: new models, new tools, and fundamentally new ways of software development where agents play an active role in designing, writing, and reviewing code.

    The Foundation AI team is dedicated to building AI that unlocks greater speed and leverage for defenders.

    Stay tuned for more updates, and feel free to send us a message!

    We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

    Cisco Security Social Media

    LinkedIn
    Facebook
    Instagram
    X

    Share:

    Share.

    Related Posts

    Comments are closed.