Pricing
Contact
Login
Start Free Trial
Back

ChatGPT Storms Onto the Cybersecurity Scene

Dec 28, 2022

Anyone perusing this site has probably also read more than a few articles about ChatGPT, the latest “AI writer” that can turn user prompts into text that faithfully mimics human writing. I would venture to guess many readers here have even tried the tool for themselves (it’s free to experiment with if you haven’t). Chat GPT has dominated the conversation in tech over the last few weeks. It has been hard to escape, frankly.


Among the countless think pieces written about whether ChatGPT will spell the death of the college essay or usher in the end of creativity and critical thinking as we know them have been plenty of articles focused on cybersecurity specifically. Now that AI can instantaneously produce endless amounts of writing for almost any purpose, there are serious implications, both good and bad, for the future of digital defense.


Of course, the bad would seem to seriously outweigh the good (more on that soon). But amidst all the doom and gloom thrown at ChatGPT, it’s important to also acknowledge how this technology could be an asset to developers, security teams, or end users. Let’s look at it from three angles.


The Good


Cybersecurity suffers from a serious information deficiency. New attacks, techniques, and targets appear all the time, requiring the broad security community to keep constantly updated. On the other hand, average users need better information about cyber safety best practices, especially considering that years of consistent training and warnings haven’t cured deep-seated problems like password recycling. In both of these cases and others, I can see ChatGPT or a similar tool being extremely helpful for quickly yet effectively encapsulating information.


Of course, documenting cybersecurity hasn’t exactly been its biggest problem, and I question how much an AI writer can actually do to prevent or lessen attacks. Nonetheless, knowledge is power in cybersecurity but the scale of the issue stands in the way, so I can see automated writers playing a role in a host of different security tools, defensive techniques, and training strategies. They can (and arguably must) be a force for good.


The Bad


Almost the minute ChatGPT went live, the naysayers and doomsday prognosticators started to come out of the woodwork. Which is neither surprising nor troubling. ChatGPT is just the latest example of how artificial intelligence will transform the world in ways that we can’t predict, will struggle to control, and in some cases would never want.


Cybersecurity is a prime example. ChatGPT can generate passable (if not perfect) code just as it can prose. This could be a boon for developers of all kinds – including those that develop malware and other attacks. What’s to stop a hacker from using ChatGPT to expedite development and iterate endlessly, flooding the landscape with new threats? Similarly, why write your own phishing emails when ChatGPT, trained on countless past phishing emails, can generate thousands of them in seconds?


Automated writers lower the barrier to entering cybercrime while helping established criminals and gangs scale their efforts. More alarming, new technology always has unexpected, often unintended consequences, meaning that ChatGPT is sure to surprise us with how it gets weaponized, which is to say that the worst is yet to come.


The Ugly


To emphasize my previous point, let me outline a scenario I haven’t yet seen addressed in the ChatGPT conversation. Business email compromise (BEC) attacks are where hackers personalize phishing emails, texts, or other communications with personal information to make them seem like they are coming from the recipient's boss, close colleague, or another trusted source. They also contain careful social engineering to inspire the recipient to act without considering risk or applying good judgment. They are basically phishing attacks carefully calibrated to succeed. Back in June, Wired wrote that they were “poised to eclipse ransomware” because they have proven so lucrative and also so resistant to security measures.


The saving grace was that BEC messages took time. Someone had to first do research on the targets and then turn that into fine-tuned copy. Therefore, they were hard to scale and difficult to get just right (many of these attacks still failed). There was a difficult if not definitive upper limit.


From my perspective, ChatGPT obliterates that obstacle. Imagine if an attacker trained automation to comb LinkedIn for data about people’s professional relationships, then fed that data into ChatGPT to create convincing BEC emails customized for hundreds or thousands of different recipients. If we can automate both the research and the writing parts, and do both on not just a massive scale but with uncanny precision, hackers can scale BEC campaigns to any size.


And then what? Will every email seem suspect? The cloud of doubt hanging over the authenticity of any piece of information or string of communication (did this come from someone real?) may prove as much or more disruptive than the attacks themselves. I’m just speculating. These doomsday scenarios, like so many others, may never materialize...Or BEC attacks could prove to be the least of our concerns.


That puts it on us – probably most people reading this site – to somehow ensure the good outweighs the rest.

Tags

  • #vicarius_blog

users/photos/cl63q9kls03si09n2e51cdpu2.jpeg

Written by

Paul Lighter

Recent Posts

  • 1

    CVE-2023–23752: Joomla Unauthorized Access Vulnerability

    Mohammad Hussam Alzeyyat March 24, 2023
  • 2

    Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

    Mudassar Zafar March 22, 2023
  • 3

    CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

    j00sean (https://twitter.com/j00sean) March 01, 2023
  • 4

    KeePass Passwords Theft CVE-2023-240550

    Youssef Muhammad March 01, 2023
  • 5

    CVE-2022–44267: Denial Of Service in ImageMagick

    Mohammad Hussam Alzeyyat February 28, 2023

Related Posts

By Mohammad Hussam Alzeyyat
Mar 24, 2023

CVE-2023–23752: Joomla Unauthorized Access Vulnerability

In this blog, we are going to analyze the information disclosure in Joomla that allows an attacker to exploit it to gain unauthorized access. we will dive deep inside the flow of Joomla, how it works, and how the vulnerability happened.
By Mudassar Zafar
Mar 22, 2023

Apache Zero Days - Apache Spark Command Injection Vulnerability (CVE-2022-33891)

The Apache Spark command injection vulnerability (CVE-2022-33891) was discovered by the Sangfor FarSight Labs team and reported to the Apache Spark project team on July 18, 2022. The vulnerability was classified as high severity, with a CVSS (Common Vulnerability Scaling System) Base Score of 8.8, indicating a high potential impact.
By j00sean (https://twitter.com/j00sean)
Mar 01, 2023

CVE-2022-44666: Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability

My thoughts and more on this bug!
last_chanse_02.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Get a Demo
Start Free Trial!

Have questions?

By submitting this form, you agree to be contacted about TOPIA and other Vicarius products.

Vicarius develops an autonomous vulnerability remediation platform to help security teams protect their assets against software exploitation. Consolidating vulnerability assessment, prioritization, and remediation, Vicarius strengthens cyber hygiene and proactively reduces risk.
We're hiring!

Support

support@vicarius.io

Sales

sales@vicarius.io

Marketing

info@vicarius.io
Product
Product Overview
Vulnerability Management
Patch Management
Patchless Protection
Auto Actions
Network Scanner
xTags
0-Day Detection
Solution
Solution Overview
Case Studies
Knowledge
Research Center
Apps & OS Patch Catalog
Videos
Articles
Docs
Company
About
Investors
Partners
Trust
Careers
Pricing
Pricing
Compare
TOPIA vs. Automox
TOPIA vs. ManageEngine
TOPIA vs. Rapid7
TOPIA vs. Tenable
TOPIA vs. Tanium
TOPIA vs. RMMs
TOPIA vs. Vulcan
TOPIA vs. PDQ
TOPIA vs. Qualys

Copyright © Vicarius. All rights reserved 2022. Privacy Policy and Terms of Use