Article Details

Offensive and Defensive AI: Let's Chat(GPT) About It. ChatGPT: Productivity tool, great for writing poems, and… a security risk?! In this article, we show how threat actors can exploit ChatGPT, but also how defenders can use it for leveling up their game. ChatGPT is the most swiftly growing consumer application to date. The extremely popular generative AI chatbot has the ability to generate human-like, coherent and contextually relevant responses. This makes it very valuable for applications like content creation, coding, education, customer support, and even personal assistance. However, ChatGPT also comes with security risks. ChatGPT can be used for data exfiltration, spreading misinformation, developing cyber attacks and writing phishing emails. On the flip side, it can help defenders who can use it for identifying vulnerabilities and learning about various defenses. In this article, we show numerous ways attackers can exploit ChatGPT and the OpenAI Playground. Just as importantly, we show ways that defenders can leverage ChatGPT to enhance their security posture as well. The Threat Actor - Hacking Made Easy ChatGPT makes it easier for people looking to enter the world of cybercrime. Here are a few ways it can be used for system exploitation: According to Etay Maor, Senior Director of Security Strategy at Cato Networks, "There are guardrails in ChatGPT and the Playground to prevent them from giving answers that support doing something bad or evil. But, 'social engineering' the AI enables finding a way around that wall." For example, this can be done by impersonating a pen tester about how to test a website's input field for vulnerabilities. The response from ChatGPT will include a list of website exploitation methods, like input validation testing, XSS testing, SQL injection testing, and more. In the example below, ChatGPT is prompted to write a Python script that searches for Doc and PDF files that contain the word "confidential," copy them into a random folder and transfer them. While the code is not perfect, it is a good start for a person who wants to develop this capability. Prompts could also be more sophisticated and include encryption, creating a Bitcoin wallet for the ransom money, and more. The Defender - Defending Made Easy ChatGPT can and should also be used to enhance defender capabilities. According to Etay Maor, "ChatGPT also lowers the bar, in a good sense, for Defenders and for people who want to get into security." Here are a number of ways professionals can improve their security expertise and capabilities. In the example below, ChatGPT explains what a specific snort rule is. Additional Considerations When Using ChatGPT When using ChatGPT, it's important to acknowledge the importance of the following factors: Etay summarizes, "We can't stop progress, but we do need to teach people how to use these tools." To learn more about how security professionals can make the most of ChatGPT, watch the entire masterclass here.