The Gately Report: Optiv Addresses the Pros and Cons of ChatGPT in Cybersecurity
Plus, the Super Bowl provides big opportunities for cybercriminals.
![ChatGPT Speech Bubble ChatGPT Speech Bubble](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt67c3704331497f58/652406bb6399936406942cf7/ChatGPT-Speech-Bubble.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Can ChatGPT help in the fight against cybercrime?
Optiv’s Randy Lariar: Absolutely. It’s very powerful to help with coding. Obviously it’s not as good as a real coder, but many developers already have an experience with GitHub copilot, which uses a similar underlying technology. And generative AI, the family of AI that ChatGPT is from, makes it very powerful to start writing a query or start doing what you need to do for a threat hunt or building a new detection. Now, again, it may not be 100% right. But if you’re concerned about the formatting or if you have a piece of code that you don’t understand what it does, or you get an error message and you want to understand, “Why did I get this error?” dropping it in ChatGPT can oftentimes get you a few steps ahead. Just like many people will just drop whatever they’re working on into Google, and oftentimes the first or second answer is going to be helpful for them. So it’s of that nature.
When you put some context around it or you think about the ways that you might need to communicate the type of work you’re doing in cyber, it can really help you. You could give it bullets of, “I’ve found X, Y, Z,” and ask it to compose a business-friendly email to a non-cybersecurity-familiar audience to explain the issue in terms that they’d be comfortable with. And so rather than spend 30 minutes crafting that perfect email again, you can within 30 seconds get most of it done, skim it, correct it and send it off. And that’s really going to accelerate cybersecurity professionals, as well as folks across a lot of different professions.
CF: Can ChatGPT code?
RL: It can write code, just use at your own risk. The code it writes is pretty good for basic functions or if you’re very specific in what you need. And another thing I’ve seen people do is take the existing code and then tell it to modify that code in a certain way. And so it’s been pretty good with those kind of prompts. And the nice thing about ChatGPT versus some of the other things is that it’s conversational. So you can say, “Rewrite this answer but change this part,” and it’ll just rewrite the code for you to copy and paste. So it is like having an assistant or a copilot as you go about your day with a lot of written tasks.
You can also ask it to build a table. You can say, “I’m looking up the following information and I want that information in the following columns”: name, description, impacted parts of the business, whatever your stuff is. And if ChatGPT is able to pull the information into a paragraph, it’s also able to pull that information into a table. And sometimes that’s a much more effective and efficient way to communicate.
CF: We hear a lot about cybersecurity team members being bombarded by alerts, making it difficult to pinpoint which ones pose real threats. Can ChatGPT help with that?
RL: I haven’t seen too many examples of the triage question, although there are other types of machine learning (ML) and AI that will certainly be helpful. I think it’s kind of that entry-level person or somebody who’s looking for an extra set of hands to triage. If you see an alert you’ve never seen before, you can drop it in and you give it a little bit of context about what you’re looking at, and it’ll give you a pretty good description. Then you can ask for its opinion. But again, buyer beware. There are some things that are going to have to scale up.
If you’re the kind of firm that has robust policies and procedures, and you see some kind of an alert, you could pivot to your internal chat and say, “This is what I’m seeing; what are the impacts alerted and who should I go talk to? Give me that in a table format and include the email addresses.” And it’s not really too far-fetched to just have it go into that document repository and pull it all out.
CF: Can ChatGPT help fill gaps in education or training, therefore making cybersecurity a career choice for a wider range of candidates?
RL: Anybody who reads this article and wants to break into cyber should just ask ChatGPT, “How should I break into cybersecurity?” It’ll return links, articles, things that might be helpful. You see a topic you’re interested. You can say, “OK, tell me more about this. Give me a few more examples of that.”
So first and foremost, it’s a great tool to organize your research and learn. And again, it doesn’t replace some context dependency. Certainly leadership and more senior management of cyber firms need to understand, really inside and out, at a level that the AI does and doesn’t have today. But it’s going to make it a lot easier to do some of the simple things, and it’s going to hopefully give people the ability to spend their time on the more value-added, complex parts of their jobs.
CF: On the flip side, can you talk a little bit about what sorts of cyber risks are associated with ChatGPT?
RL: All the advantages that I just said for the good guys, the bad guys will have, too. In fact, one positive is these contract-for-hire cyber gangs, the ransomware gangs and whatnot, maybe some of those people will get put out of work because these AIs can help. But the reality is, it will make it a lot easier for anyone from a script kit and beginner hacker, to the most sophisticated person, to do a lot of the things you need to do to be successful.
So a big one is phishing. It will give you perfect English for emails and text messages. It can also be used to impersonate people really down to the mannerism, the tone you have. If you give it a few examples of the person you’re trying to impersonate; it will make a very realistic-looking message. And that’s, of course, the biggest risk, today anyway, the human factor and doing social engineering.
It will help you code malware, and help you to code different things to crack into firewalls and different types of IT infrastructure. There’s hope that OpenAI does have some ability to filter what results come back. So maybe ChatGPT itself will not long term be used for this type of stuff. But there are lots of workarounds; there are lots of ways to hack it. And it’s creating a whole other category of risk that firms need to be very aware of, not just ChatGPT, but the AI that can be used against them, as well as their own AI being spoofed in ways that traditional IT technology has not been. You can do some things with AI where you can get it to reveal things that maybe it shouldn’t have revealed. And so those type of use cases also need to start being monitored and thought about on the defense side of the house.
CF: Is there any way to keep ChatGPT out of cybercriminals’ hands?
RL: I think the genie is out of the bottle. It’s like asking them not to have access to the internet because there’s OpenAI and ChatGPT, but right behind them Google‘s been working on things and other companies are building their own models of these things. And for all we know, nation-states have had this capability for a long time. So I think the AI is here to stay in the world. I think 2023 is a turning point in which a lot more of society is realizing how accessible and powerful ChatGPT is for the common person. We’ve been saying for a long time that organizations need to have both an offensive and a defensive strategy when it comes to data and AI. You can use it to create tremendous new opportunity, build new products, streamline operations and make a lot more money. But on the flip side, you also have to be thinking about how you use it to defend your core assets.
Photo courtesy: Ascannio/Shutterstock
CF: Is there a way for an organization to ensure ChatGPT is being used safely?
RL: Just like with the rest of cyber in IT infrastructure, there’s a frameworks-based approach to this. I see the National Institute of Standards and Technology (NIST) has put out some good guidelines around some of this. And we’ve been speaking with some of our clients about that. And I think that you’ll see the likes of MITRE as well, and folks thinking holistically about from the initial scanning and identification, through the attack and the follow-up, how you make it more difficult to perform these kind of things. How do you detect them when they’re happening? How do you mitigate and isolate them? I think it’s a whole new set of protections that we need to think about. And there’s going to be a very creative and exciting time in cybersecurity to come up with some of those.
I think today the most important thing is for CISOs and cyber teams to be familiar with this technology, playing with it, understanding the risks, looking at some of the exploits that have been posted … and really dig into this place. It is a good time to get engaged.
CF: Is there anything more we can expect to see in this new wave of AI that we that we haven’t seen yet?
RL: There are a lot of developments coming out. We’re currently on GPT-3.5 and we’re expected to go to GPT-4, which is supposed to be a much more powerful model that would just make a GPT type tool even better. I think we’ll also see examples of where it has the ability to search the internet and take in current data versus just the current model that’s trained up to 2021. We’re already seeing a ton of activity in the startup and even in the enterprise world of investment in this capability, and a lot of wrappers around the APIs. So I think there’s a lot of innovation coming and a lot of change coming.
We’ve seen Microsoft, with their deal with OpenAI, and AWS and Google Cloud Platform I’m sure are right behind it. I think all of our clients and all of the companies that have migrated to cloud are in some way familiar with that API call-and- response life cycle, and all of their offerings are going to be able to build some things that integrate with it. It’s going to just be everywhere. And I think we’ll start to see some real interesting situations emerge as a result.
CF: Is there anything about ChatGPT that’s not being talked about that should be?
RL: Hard to say for sure. But I think with a cyber lens on, it’s important not to dismiss it. This isn’t like an NFT or Web 3.0. There’s been a whole wave of things like that. And certainly those things have their pros and cons. But I think this is a lot more like the internet or the cloud. There’s definitely a before-and-after AI in our society. There’s a lot of enthusiasm. There are a lot of investors that are going to pour money into companies, some of which may be questionable in terms of doing that. So I think a lot of that will have to play out. For the cyber professional, stay focused on understanding your assets, your environment, your risks. Think about some of these next-generation capabilities, about using AI to make your team more efficient. So I don’t know that I would say there’s anything that isn’t being talked about, but there’s so much more to say.
In other cybersecurity news …
Earlier this week, we reported on malicious hackers hitting thousands of VMware ESXi hypervisors with ESXiArgs ransomware, exploiting a two-year-old vulnerability.
The attacks have taken place globally, including in the United States, Canada, France and Italy. VMware ESXi allows organizations to host several virtualized computers running multiple operating systems on a single physical server.
The Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.
CISA recommends organizations impacted by ESXiArgs evaluate the script and its guidance to determine if it is fit for attempting to recover access to files in their environment.
Morten Gammelgard is executive vice president of EMEA at BullWall, a ransomware containment provider.
“We got lucky this time,” he said. “The attackers failed to encrypt the flat data files where the data for virtual disks are stored. While these recent attacks on VMware servers were only partially successful, it highlights the issues with protecting the entire attack surface and maintaining perfect cyber hygiene. The next attack may work better and successfully encrypt all files, and perhaps next time a rescue script will not be available.”
Companies must patch all critical OS and application vulnerabilities in a timely manner, and deploy ransomware containment to stop the encryption from happening, Gammelgard said.
“Had this attack been more successful, many more organizations would now be facing downtime and disruption, and having to restore lots of files and environments from back up at very high cost,” he said.
Photo courtesy: Pavel Kapysh/Shutterstock
The Kansas City Chiefs and the Philadelphia Eagles won’t be the only teams playing during Sunday’s Super Bowl LVII.
Often, large, high-profile events provide an opportunity for criminal and nation-state threat actors to make money, sow confusion, increase their notoriety, discredit adversaries and advance ideological goals.
Darren Guccione is CEO and co-founder at Keeper Security. He said the two biggest motivators threat actors may have for targeting huge events like the Super Bowl are increased visibility for financial, political or other purposes.
“A successful cyberattack related to the Super Bowl will garner more media coverage than an attack at a standard company, as well as the pool of potential victims,” he said. “The large numbers of people in attendance creates a wealth of personal data that cybercriminals can target. Another potential motivator is increased opportunity. The potential entry points for threat actors have increased exponentially in recent years as the Super Bowl and its surrounding events continue to expand their digital footprint.”
The greater risk may not be to the Super Bowl itself, but rather the opportunity for bad actors to use this event to target other victims, as online scams notoriously increase around significant occasions such as sporting events, Guccione said.
“These scams include phishing attacks and fraudulent websites that can compromise individuals’ passwords, personal and financial information, or infect individuals’ computers with malware,” he said. “This threat is especially high around the Super Bowl as people download new apps or sign up for giveaways related to the game. People should always ensure they are downloading trusted apps and be careful about what information they share.”
When monitoring threats against large events like the Super Bowl, IT professionals need to consider the security of their numerous third-party vendors and contractors that can be easily overlooked, insider threats from employees or contractors, and evolving technologies that may not have existed the year before, Guccione said.
“Leading up to the big game, IT professionals should be on the lookout for phishing attacks, malware and viruses, and social engineering attacks as threat actors attempt to gain access to the computer systems used to manage the event,” he said. “Distributed denial of service (DDoS) and ransomware attacks are also possible from threat actors who are looking to cash in on an event that they know can’t be delayed. Phishing attacks related to the game are also likely to increase as people search for information related to gambling, the current score, or big events that happen during the broadcast of the game.”
Timothy Morris is chief security advisor at Tanium. He noted that the Super Bowl is historically one of the largest attended and watched events in the United States. Anything that would make the game unsafe to play or for people to physically be there would be extremely disruptive.
“That is why so much care and diligence is given to the event,” he said. “This includes physical security at the venue, the players, the event staff, contractors, suppliers, etc. Also, anything that would interrupt the broadcast of the big game would be very disruptive. Cybersecurity teams see an increased volume of phishing attempts, website compromises, watering hole attacks, business email compromise (BEC), malvertising, etc., that will be Super Bowl-themed, due to the emotion involved and users willing to take the clickbait. Users will see multiple scams as well, such as fake ticket scams, VIP experience scams, counterfeit merch or merch scams.”
Security professionals need to see the event as a prime target for cyberattacks and an easy avenue to dupe their users with Super Bowl-themed threats, Morris said.
“Many might see this as an innocent sporting event only and not the cultural phenomenon that creates opportunities for criminals,” he said. “Sometimes those opportunities are targeted toward the fan bases of the two teams playing in the championship. Rabid fans are known to lose sensibility and do things they normally wouldn’t do. Greased pole challenge anyone?”
A new report by Vade shows total phishing emails increased by 61% during the second half of 2022 over the first half of the year.
In the fourth quarter, Vade detected 278.3 million unique phishing emails, surpassing the previous quarter’s total by 74.4 million. Month-to-month, phishing volumes were relatively stable through the first half of the fourth quarter.
October saw the second-highest volumes (62.3 million), followed by November (47 million). In December, phishing emails jumped significantly, totaling more than 169 million, a 260% month-over-month increase.
Todd Stansfield is Vade’s content marketing manager.
“December’s leap followed a similar pattern observed in Q4 2021, when November accounted for a dramatic increase in phishing emails compared to other months in the quarter,” he said.
Malware volumes finished the year strong, increasing 12% quarter over quarter in the fourth quarter to account for 58.9 million emails, a 55% increase compared to the same period in 2021, according to Vade. Throughout the quarter, malware volumes saw a modest decline month-to-month. October accounted for the highest share of emails with more than 21 million, followed by November (20.8 million) and December (17 million). While malware volumes declined slightly in the second half of 2021 compared to the first half (11%), the annual total equaled more than 236.4 million emails, a 48% increase over 2021.
“Phishing-as-a-service (PaaS) platforms continue to empower hackers to launch sophisticated attacks without the technical skills,” Stansfield said. “By purchasing a phishing kit, novice hackers can deploy highly convincing and effective schemes against their targets. While phishing kits continue to become more sophisticated, Vade analysts identified a recent enhancement that enables phishing kits to automatically localize phishing pages based on a victim’s native language. The feature identifies the language settings of the targeted user’s browser, and uses it to update and display the phishing page accordingly. While improving the contextual accuracy of each phishing attack, the new feature also enables hackers to target users across multiple languages using a single kit, thus increasing the reach of their campaigns.”
Email is the No. 1 channel for distributing phishing and malware attacks, giving hackers a convenient, scalable and efficient vehicle for exploiting users and compromising accounts, according to Vade.
A new report by Vade shows total phishing emails increased by 61% during the second half of 2022 over the first half of the year.
In the fourth quarter, Vade detected 278.3 million unique phishing emails, surpassing the previous quarter’s total by 74.4 million. Month-to-month, phishing volumes were relatively stable through the first half of the fourth quarter.
October saw the second-highest volumes (62.3 million), followed by November (47 million). In December, phishing emails jumped significantly, totaling more than 169 million, a 260% month-over-month increase.
Todd Stansfield is Vade’s content marketing manager.
“December’s leap followed a similar pattern observed in Q4 2021, when November accounted for a dramatic increase in phishing emails compared to other months in the quarter,” he said.
Malware volumes finished the year strong, increasing 12% quarter over quarter in the fourth quarter to account for 58.9 million emails, a 55% increase compared to the same period in 2021, according to Vade. Throughout the quarter, malware volumes saw a modest decline month-to-month. October accounted for the highest share of emails with more than 21 million, followed by November (20.8 million) and December (17 million). While malware volumes declined slightly in the second half of 2021 compared to the first half (11%), the annual total equaled more than 236.4 million emails, a 48% increase over 2021.
“Phishing-as-a-service (PaaS) platforms continue to empower hackers to launch sophisticated attacks without the technical skills,” Stansfield said. “By purchasing a phishing kit, novice hackers can deploy highly convincing and effective schemes against their targets. While phishing kits continue to become more sophisticated, Vade analysts identified a recent enhancement that enables phishing kits to automatically localize phishing pages based on a victim’s native language. The feature identifies the language settings of the targeted user’s browser, and uses it to update and display the phishing page accordingly. While improving the contextual accuracy of each phishing attack, the new feature also enables hackers to target users across multiple languages using a single kit, thus increasing the reach of their campaigns.”
Email is the No. 1 channel for distributing phishing and malware attacks, giving hackers a convenient, scalable and efficient vehicle for exploiting users and compromising accounts, according to Vade.
When it comes to cybersecurity, ChatGPT can both help in the fight against cybercrime and help cybercriminals launch more attacks.
That’s according to Randy Lariar, Optiv‘s practice director of big data, artificial intelligence (AI) and analytics.
ChatGPT is a a chatbot launched by OpenAI last November. It leverages natural language processing (NLP) to analyze verbal input and generate responses, imitating a natural human conversation. It can write anything: letters, song lyrics, research papers, recipes, therapy sessions, poems, essays, outlines — even software code.
OpenAI and Microsoft recently announced an extension of their partnership. ChatGPT is available free and via subscription.
ChatGPT and the Cybersecurity Talent Shortage
Lariar said ChatGPT could help close the massive cybersecurity talent gap, which totals more than 3 million workers.
Optiv’s Randy Lariar
“The capabilities that they’ve now reached with the underlying ChatGPT technology are really astounding,” he said. “No one should get worried that jobs are going to be replaced anytime soon, especially in cybersecurity. It’s the ability to find and compile information; it’s like the next generation of a Google search. It is organizing that information in a way that is useful, and that output can be trained just like a new hire. Anything you might ask an intern to do for you, ChatGPT is going to do. And unlike an intern, you’re going to learn over time the best prompts to use. And when you make requests, it’s going to give you the same consistent quality.”
There’s a lot of talk about ChatGPT not up to date with the times. Moreover, if you ask it a question, the response is pretty simplistic, Lariar said.
“But I think that there’s going to be a lot of development in this, and folks are going to realize that certain prompts and certain ways of structuring those requests are going to get you some really powerful and useful answers,” he said. “And if the answers don’t make your workflow completely done for you, they’re going to get you 90% of the way. And then obviously your subject matter expertise can take you the rest of the way.”
Scroll through our slideshow above for more from Lariar about ChatGPT and cybersecurity; plus, more security news impacting the channel.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like