ChatGPT took the world by storm after OpenAI opened it for testing on Nov. 30, 2022. For an industry calloused by years of largely unsatisfying AI and machine learning “innovations,” the reactions have been quite telling. Like many who are excited by its potential, I believe this is finally the moment of clarity for how truly revolutionary AI can be for information security.
It’s also quite sobering, as there are already countless examples of how it changes the game for black hats of all stripes. In one of the first proofs-of-concept, NYU professor Brendan Dolan-Gavitt used ChatGPT to exploit a buffer overflow vulnerability. Other examples include writing malware with lightning speed and crafting convincing, grammatically correct phishing emails.
The weaponization of AI within cybersecurity is not new, but what excites me the most about ChatGPT is its potential for closing information security’s biggest gap: the lack of sufficient talent, in both breadth and depth of cybersecurity skills (i.e., specializations). To illustrate this further, here are three ways ChatGPT will change infosec in 2023.
Advancing Crowdsourced Threat Intelligence
For quite some time, one of the industry’s holy grails has been successfully crowdsourcing threat intelligence. The promise stems from the ability to see what’s happening across a wide swath of companies within a single vertical industry. Unfortunately, the greatest impediment has been the lack of trust between organizations to share the intelligence.
This is the problem that the array of ISACs across industries have been trying to solve — with mixed results. Going forward, an information sharing and analysis center (ISAC) could take an iteration of the ChatGPT model with its natural language interface and feed it log data submitted by ISAC constituents, based on implicit trust within the group. The ISAC could then use ChatGPT to correlate network connections, categories of malicious IP addresses and domains, and similar behaviors. The results could produce a set of IDS rules that the ISAC constituents should implement to protect themselves from threats. The ISAC also would gain insight into the overall risk posture of the industry it represents.
Doing More With Existing Resources
The uncertain economy is putting pressure on security organizations to implement hiring freezes to squeeze more productivity out of existing resources. ChatGPT can be extremely beneficial here as a force multiplier that enables one analyst to do the job of multiple people.
Generalists and entry-level staff can describe what they are seeing in alerts and detections, and then ask ChatGPT to decipher their observations to jumpstart the triage process. A specific example is helping with practitioners’ daily de-obfuscation of suspected malicious code, which typically takes an hour or more. It now can be performed in seconds.
ChatGPT also has the potential to transform incident response. A team can use the existing model and natural language processing to feed all available data about an incident and describe the rationale for a potential response. ChatGPT could then immediately prove or disprove a theory about a compromise. Today, that involves several days of work by an incident response lead, an engineer, and several analysts to fully resolve an incident. I can foresee a future where the process doesn’t need an analyst at all.
Taking the Malware Cat-and-Mouse Game to a New Level
Today, adversaries generate 100 million new malware samples per year. Because they all require manual coding, it is still a finite, manageable amount for signature detection. With ChatGPT, however, a hacker can say, “Here’s what I’m trying to do, and here’s the OS I’m trying to do it on,” and it can generate hundreds of thousands of iterations of one piece of malware.
This will mean that the detection engines’ ML models must be recomputed faster. It’s far more complicated, because they’re working against a much larger data set. Fortunately, ChatGPT will supercharge the reverse-engineering process and give anti-malware efforts a fighting chance.
For instance, a significant reverse engineering challenge is working with a generic file name, which doesn’t provide necessary context about where it was found. This requires much more manual work to identify the system for which it was built. There are minor changes in binary assembly that have marked changes on the end result — e.g., was it written for a 32-bit or 64-bit architecture? Is the system using Little Endian or Big Endian? The answers determine the direction in which you read the machine language (forward or backward).
All these efforts require trial and error if you have no context. ChatGPT can run through these iterations at blazing speed and give reverse engineers the final assembly language and process it from there. They can take it further and have ChatGPT tell them what it thinks the application is doing — in natural language. More importantly, ChatGPT could do all of this at scale, analyzing hundreds of thousands of binary samples and proving insights to an analyst.
It also can help fight back against common cat-and-mouse techniques. For example, malware often contains anti-reverse engineering techniques, such as nested loops, to make it much harder for reverse engineers to keep track of what is happening and the end state. ChatGPT can figure that out much faster than humans. It also can analyze the genetic code of the malware and see where there may be code reuse to identify the fingerprint of the author more quickly.
Whenever new advances in AI come to fore, there is the inevitable concern about whether it will replace humans and their jobs. I don’t believe ChatGPT will make this happen, but it will make us more powerful consumers of information. The force multiplier effect will be profound at all levels. I can see CISOs feeding it a set of information about its risk register for it to return policies and procedures, incident response plans, and more — all tailored to their environments.
While ChatGPT is only a research preview, I share the excitement of my industry colleagues about its promise to revolutionize how security practitioners work.