- Healthcare cyber security
- 10 min read
As technology continues to advance, so too does the threat of cyber attacks. One of the most talked about areas of technology in recent years is AI and its potential impact on cyber security.
OpenAI, an artificial intelligence research and development company, released ChatGPT to the world in November 2022. ChatGPT’s instant success (it took mere days before it hit 1 million users) signalled the beginning of the AI era … an era that brings with it an equal number of cyber threats as it does cyber solutions.
We have written extensively about AI use in the cyber security and awareness sector, framing our discussions around emerging cyber threats and AI tools being used to enhance common cyber attack tactics.
In today’s The Insider, we will be looking at ChatGPT specifically and how it is already changing the threat landscape with potential for even tougher cyber pitfalls in 2023.
ChatGPT (GPT stands for Generative Pretrained Transformer) is what we call a natural language processing model or NLP. It is an artificially intelligent model that has been trained to generate text that imitates human language after it has been prompted with a query or question.
ChatGPT uses a deep-learning technique dubbed ‘transformer architecture’ that allows the AI model to assess different data sets that it pulls in. It then takes the inputted data and builds words, phrases, and sentences that appear like human-generated text. The more prompts you plug into ChatGPT the further the conversation can go, with ChatGPT informing future answers with past inputs and responses.
If you ask ChatGPT itself what it can do, the response is: “My main function is to assist with answering questions, providing information and generating text on a wide range of topics.”
Open AI first released ChatGPT in 2018 and have been training the model with more human-generated text. It was already able to generate text like human writing in 2018 but improved even further from 2019 to 2021. Then, in 2022, OpenAI announced that ChatGPT had been refined and the model was operating at an optimum level.
However, OpenAI are not done yet! With increased usage and even more human data sets to analyse and learn from, OpenAI have announced that a fourth version of ChatGPT will arrive soon. The AI research and development company state that when ChatGPT returns, it will have even more functionality and be able to hold even more detailed conversations with users.
While the innocent ChatGPT user can use the AI model to generate answers to harmless questions or even a poem, a threat actor can now game the AI model to create malicious content.
Whilst ChatGPT will refuse to write ransomware or malicious codes if prompted with language such as ‘ransomware,’ threat actors have found a way around this already. If you ask ChatGPT to write you some ransomware code, it will deny your request and explain that ransomware is both ‘illegal’ and ‘unethical.’ So, threat actors are getting smarter with the way they ask ChatGPt to generate malicious code.
Instead of asking ChatGPT to generate ‘ransomware code,’ a threat actor can ask the model to ‘write a code that will encrypt all folders and send the decryption key to firstname.lastname@example.org before deleting the local encryption key.’ Here, instead of overly mentioning ‘ransomware,’ ChatGPT has been told, step-by-step, to create malicious code. The result? ChatGPT will generate the requested code!
And whilst ChatGPT will not generate ransomware code when prompted, it can write a ransomware note if prompted. Just a bonus for the cyber criminal who wants to do even less work towards their illegal activities.
Generating ransomware code is not the only malicious text that ChatGPT can create. If prompted, ChatGPT can write very convincing phishing emails to be used in social engineering campaigns by threat actors. The worry here is that users will find it even harder to spot phishing emails as ChatGPT eliminates human errors such as typos, spelling mistakes and grammatical errors.
Often human-generated phishing emails contain these mistakes because phishing gangs are not targeting the same geographical location they are based in, which leads to natural mistakes in language and conversation.
However, these are the signs a user looks out for when assessing whether an email is attempting to phish them … if ChatGPT can ride phishing emails of obvious errors and even add a level of urgency to the text, then we will see yet more successful phishing in 2023!
InfoSecurity Magazine spoke to Picus Security co-founder Suleyman Ozarslan about how he prompted ChatGPT to create a World Cup 2022 phishing campaign. Ozarslan said: “I described the tactics, techniques, and procedures of ransomware without describing it as such. It is like a 3d printer that will not ‘print a gun,’ but will happily print a barrel, magazine, grip, and trigger together if you ask it to.”
ChatGPT can be used by someone with little technical knowledge to generate complex and perfect code for use in cyber attacks. The speed and accuracy with which ChatGPT generates this code will lead to devastating consequences for organisations as we will see the rate of ransomware, phishing and malware attacks increase.
Suleyman Ozarslan says that AI tools will “democratise cybercrime” with anyone able to prompt the AI models to create malicious code that otherwise would have cost money or time to generate.
Sergey Shykevich, threat intelligence manager at Check Point Software adds: “Now anyone with minimal resources and zero knowledge in code, can easily exploit it to the detriment of his imagination.”
In recent cyber attacks, we have seen ‘script kiddies’ as perpetrators. ‘Script Kiddies’ is a term used to describe teens with no hacking experience but who have been able to run a successful attack using scripts they have bought from the black market or another malicious actor. With tools like ChatGPT, the ‘script kiddies’ will turn to the AI model to give them malicious code they will not have to pay for.
Again, this will only lead to an increase in the rate of cyber attacks and, therefore, an increase in successful and damaging cyber breaches.
The AI model does not just bring doom and gloom with its existence. If used for good, the same tool that has advanced many cyber threats can also be used to fortify an organisation or an individual’s cyber security.
ChatGPT can generate code if prompted and it will also explain the code as a bonus. If you were to prompt it to code a program that creates a strong password or a consistent firewall, it will generate that code. Cyber security professionals can utilise the speed at which ChatGPT generates such code to respond quickly and effectively to cyber attacks and breaches.
Furthermore, you can use ChatGPT to find bugs in code that you input into the AI model, and it can then help you rewrite the code. In this instance, the AI model is being used deftly to plug actual security gaps in your cyber security framework.
In cyber security detection, YARA rules are malware detection patterns that can be customised to identify targeted attacks and security risks to your organisations. ChatGPT can generate and write YARA rules that protect against specific cyber attacks.
For example, if you ask ChatGPT to generate a YARA rule to ‘STOP ransomware,’ it will create code that can be used by your cyber security professionals. It even asks you to test the YARA rule it has created before fully implementing it – such a thoughtful AI!
Whilst it can seem like AI is only being used for malicious reasons now with the rest of us catching up … this is not necessarily the case. AI and Machine Learning (ML) is already being used by some organisations to run constant checks on any requests for authentication or verification. For organisations that use a ‘zero trust’ policy to protect their data, AI and ML are a staple of their cyber security network.
Paul Trulove, CEO at SecureAuth, states that “cyber security is quickly utilising these new technologies to provide greater protection with less manpower.” Could AI’s availability allow organisations that do not have the budget to always employ a security monitoring team to stay safe regardless?
When technology like ChatGPT takes massive leaps in an industry, AI, that is already excelling at an alarming rate, everyone must take notice. These are the advancements and emerging technologies that threat actors and cyber criminals are always looking for.
As organisations and companies obsessed with cyber security, we need to understand how AI models like this will create new cyber risks and enhance common ones … and we need to know how we can utilise the technology in cyber solutions.
Again, AI is just a tool. ChatGPT is just a tool. It is not inherently malicious or bad for cyber security. In truth, it can be used for both positive and malicious reasons – which is the case for most new innovations.
However, Open AI, the creators behind ChatGPT, also have a duty to ensure their tool is not being manipulated by threat actors. With the workarounds listed above, OpenAI will need to look at training ChatGPT to better detect and prevent prompts that look to generate ransomware and phishing texts in a roundabout way.
The company has stated: “While we have made efforts to make the model refuse inappropriate requests, it will sometimes respond to harmful instructions or exhibit biased behaviour. We are [trying] to block certain types of unsafe content, but we expect it to have some false negatives and positives for now. We are eager to collect user feedback to aid our ongoing work to improve this system.”
As cyber security professionals and tech users, we must keep an eye on AI and monitor how it is being manipulated. If we can stay educated on AI advancements, emerging threats will no longer surprise and breach your organisation or employees.
If you would like more information about how The Security Company can help your organisation stay safe and deliver security awareness training and development for you in 2023 or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51