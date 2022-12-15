Discover all the Smart Security Summit on-demand sessions here.

Since Open AI launched ChatGPT in late November, commenters on all sides have been worried about the impact that AI-powered content creation will have, especially in the area of ​​cybersecurity. In fact, many researchers fear that generative AI solutions will democratize cybercrime.

With ChatGPT, any user can enter a query and generate malicious code and compelling phishing emails without any technical expertise or coding knowledge.

Although security teams can also leverage ChatGPT for defensive purposes such as code testing, lowering the barrier of entry for cyberattacks, the solution has significantly complicated the threat landscape.

The democratization of cybercrime

From a cybersecurity perspective, the central challenge created by the creation of OpenAI is that anyone, regardless of technical expertise, can create code to generate malware and ransomware on demand.

Event On-Demand Smart Security Summit Learn about the essential role of AI and ML in cybersecurity and industry-specific case studies. Watch the on-demand sessions today. look here

Just like he [ChatGPT] can be used for good to help developers write code for good, it can (and has been) used for malicious purposes, said director, endpoint security specialist at TaniumMatt Psencik.

A few examples I’ve seen ask the bot to create convincing phishing emails or help reverse-engineer the code to find zero-day exploits that could be used maliciously instead of reporting them to a supplier, Psencik said.

However, Psencik notes that ChatGPT has built-in safeguards designed to prevent the solution from being used for criminal activity.

For example, it will refuse to create shellcode or provide specific instructions on how to create shellcode or establish a reverse shell and report malicious keywords like phishing to block requests.

The problem with these protections is that they depend on the AI ​​recognizing that the user is trying to write malicious code (which users can obfuscate by rewording requests), when there is no immediate consequences for violating OpenAI’s content policy.

How to Use ChatGPT to Create Ransomware and Phishing Emails

While ChatGPT hasn’t been released for a long time, security researchers have already started testing its ability to generate malicious code. For example, security researcher and co-founder of Maximum securityDr. Suleyman Ozarslan recently used ChatGPT not only to create a phishing campaign, but also to create ransomware for macOS.

We started with a simple exercise to see if ChatGPT would create a credible phishing campaign and it did. I grabbed a prompt to write a World Cup-themed email to use for a phishing simulation and he created one in seconds, in perfect English, Ozarslan said.

In this example, Ozarslan convinced the AI ​​to generate a phishing email by saying he was a security researcher at an attack simulation company looking to develop a phishing attack simulation tool.

Although ChatGPT recognizes that phishing attacks can be used for malicious purposes and can cause harm to individuals and organizations, it generated the email anyway.

After completing this exercise, Ozarslan then had ChatGPT write code for Swift, which could find Microsoft Office files on a MacBook and send them over HTTPS to a web server, before encrypting the Office files on the MacBook. The solution responded by generating sample code with no warnings or prompts.

Ozarslans’ research exercise shows that cybercriminals can easily circumvent OpenAI’s protections, either by positioning themselves as researchers or by masking their malicious intentions.

The resurgence of cybercrime is throwing the balance

Although ChatGPT provides positive benefits to security teams by lowering the barrier to entry for cybercriminals, it has the potential to accelerate the complexity of the threat landscape more than it needs to reduce it.

For example, cybercriminals can use AI to increase the volume of phishing threats in the wild, which not only already overwhelm security teams, but only need to succeed once to cause a data breach. which costs millions of dollars in damages.

When it comes to cybersecurity, ChatGPT has much more to offer attackers than their targets, said the vice president of research and development at the messaging security provider, IRON SCALESOvadia careers.

This is especially true for BEC (Business Email Compromise) attacks which rely on the use of deceptive content to impersonate colleagues, a company VIP, a supplier or even a customer, Ovadia said.

Ovadia asserts that CISOs and security managers will be outmatched if they rely on policy-based security tools to detect phishing attacks with AI/GPT-3 generated content, as these patterns of AIs use advanced natural language processing (NLP) to generate fraudulent emails that are nearly indistinguishable from genuine examples.

For example, earlier this year, security researchers from Singapore Government Technology Agencycreated 200 phishing emails and compared the click-through rate to those created by the GPT-3 deep learning model, and found that more users clicked on the phishing emails generated by the AI than those produced by human users.

So what’s the good news?

While generative AI introduces new threats to security teams, it also offers positive use cases. For example, analysts can use the tool to examine open source code for vulnerabilities before deployment.

Today, we see ethical hackers using existing AI to help write vulnerability reports, generate code samples, and identify trends in large datasets. All this to say that the best application for AI today is to help humans do more human things, said Solutions Architect at HackerOneDane Sherrets.

However, security teams trying to take advantage of generative AI solutions such as ChatGPT should still provide adequate human oversight to avoid potential mishaps.

The advancements that ChatGPT represents are exciting, but the technology has yet to be developed to operate fully on its own. For AI to work, it requires human oversight, some manual configuration, and can’t always be relied on to be run and trained on the absolute latest data and information, Sherrets said.

It is for this reason that Forest recommends that organizations implementing generative AI deploy workflows and governance to manage AI-generated content and software to ensure accuracy and reduce the likelihood of releasing solutions with security issues or performance.

Inevitably, the true risk of generative AI and ChatGPT will be determined by whether security teams or threat actors more effectively leverage automation in the defensive war against offensive AI.