Leveraging machine learning/artificial intelligence (ML/AI) is a somewhat new tool within the cybersecurity space. Endpoint Detection & Response tools and behavior analytics leverage ML/AI to identify anomalous activity and kill processes, lock accounts, alert, etc. A new AI model, ChatGPT, has recently been making waves because it is currently open to the public for testing, allowing cybersecurity professionals to see how it could be used in the field. Personally, I see this ML/AI as a force multiplier, whether that is by automating and handing off tasks or by leveraging the technology to assist with new ideas. Let’s take a look at a few of the possibilities.
I started my time in security as a junior analyst on a small team, mostly focused on detecting fraud and security events with a Security Information and Event Management (SIEM) tool called Splunk. While Splunk is the market leader in this space and has lots of documentation, it also has its own language, Search Processing Language (SPL), which can get complex as queries get more advanced. ChatGPT has already learned SPL and can turn a junior analyst’s prompt into a query in seconds, lowering the bar for entry. Below is a screenshot where I asked it to write an alert for a brute force attack, specifically against Active Directory. Not only does ChatGPT create the alert, but it also explains the logic behind the query, a perfect guide for a newer SOC analyst. This is certainly not an advanced Splunk search, but it is a fairly standard alert for most security teams.
How about assisting a thinly spread team with day-to-day tasks? In nearly every IT environment we review the number of stale accounts can range from dozens to hundreds and at times these accounts even have privileged permissions. While a full privileged access management strategy and accompanying technology is recommended, at times the business may not prioritize or have the appropriate funding to implement, leaving the IT team to use a DIY approach. System administrators have been doing this for years with self-written, scheduled scripts. Again, the creation of these scripts can be turned over to ChatGPT via a junior engineer. The screenshot below is a script for identifying and disabling stale accounts - ones that have not logged in within the last 90 days. Again, this is not an advanced PowerShell script, but if a junior engineer can create it and learn how the logic works, it frees up the time of the more senior engineers/administrators for advanced work.
But what about the fun stuff, assisting with a purple team exercise? ChatGPT can be used by red-teamers to build simple scripts or debug scripts that aren’t working as expected or by blue-teamers to see examples of scripts a penetration tester might use. One of the MITRE ATT&CK techniques that is near universal in cyber incidents is Persistence. The screenshot below shows how an attacker can add their specified script/command to the generated code, and it will be added as a startup script on a Windows machine. This type of persistence is a standard tactic and one that an analyst or threat hunter should be looking for. While the red team can use this tool to aid their penetration test, the blue team can use it to understand what those tools may look like in order to create better alerting mechanisms.
As with any new technology there is a luddite pushback fearing that this will eliminate jobs or be used nefariously. Unfortunately, the latter is most certainly true, but I do not believe the former to be a possible outcome. I see AI as a tool for elevating security practitioners by alleviating the mundane and providing a teaching tool to the less experienced. We are seeing the early days of this technology and I believe we’ve barely scratched the surface with the possibilities. Much to my chagrin, our marketing director wasn’t fooled by my attempt below at using ChatGPT to write this blog post (just kidding!).
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.