November 30th, 2022. We all awoke to a very ordinary morning. But by the time the day drew to a close, something had changed that would shape the very nature of technology as we knew it.
ChatGPT exploded onto our screens.
News of this revolutionary tool spread like wildfire, eyes widening and jaws dropping as its capabilities were explored. Even the sceptics among us were soon won over by the next level generative AI. Now, over 90 days later, ChatGPT is valued at $29 billion and sees over 600 million people using the site each month.
However, not everyone is ecstatic about this latest development. Where businesses see opportunity and value, cybersecurity teams see yet another weapon in the attacker’s arsenal. Given that OpenAI’s separate AI called Codex (designed to write computer code) has already been paired up with ChatGPT to create hacker scripts, it’s clear this may be just the beginning of a whole host of security threats to come.
It’s one thing for the benefits to outweigh the risks, but we can’t simply ignore the dangers of this evolving AI. The step to managing this platform is to understand it through and through.
An educational tool and more
ChatGPT has already demonstrated it’s worth as a source of knowledge for people in both their professional and personal lives. And less than four months on, Microsoft has released big plans for OpenAI’s chatbot involving its Teams function.
For cybersecurity specifically – as a rapidly evolving industry – the power of ChatGPT means those interested in a career in cybersecurity, or just those looking to find out more information about how to better protect their systems, can do so at the click of a button.
The potential of ChatGPT for learning in the future is what’s really exciting. It’s not completely accurate in its current state and shouldn’t be relied upon for accurate information (in much the same way Wikipedia can’t be relied upon), but it’s a strong start and will only improve.
For cybersecurity professionals, there are two prime examples that come to mind for its use as a force for good:
- Analysing code to find weaknesses resulting in zero-day vulnerabilities
- Finding similar domains that may be missed (this information can then be used to reduce the possibility of domain likeness phishing)
Tech for good turned bad
As with most technological developments, there are two sides of the coin. ChatGPT may present businesses with a never-ending pool of opportunities, but the same resource is available to those with more malicious intent.
While ChatGPT itself cannot be directly targeted by cybersecurity threats like malware, hacking or phishing, it can be exploited to help criminals infiltrate systems more effectively.
The platform’s developers have taken steps to try to reduce this as much as possible, but it takes just one attacker to word their question in the right way to get the desired response.
The best example here is phishing. Asking the platform to generate a phishing template directly will result in the chatbot refusing. However, if someone with malicious intent rewrote their question ever so slightly, the AI won’t detect any issue. For example, if you ask it to create a ‘gophish’ template, it will comply.
Staying secure means staying prepared
The advanced capabilities of ChatGPT throws up several red flags for security teams, but it isn’t time to hit the doomsday button just yet.
For example, while we know that ChatGPT can be paired up with Codex to create AI-generated attack code, it was also found that there are major limitations that keep it from being a genuine threat to security systems.
For example, the most recent data that feeds ChatGPT is from 2021 – so the platform is fundamentally outdated. In reality therefore, 90% of the time, the text produced by the platform is flawed, meaning malicious users would need their own knowledge base to fact check the content for it to be in any way effective against security systems.
Given the extra work it would take to get the text ready for use, it’s unlikely that experienced criminals would use ChatGPT as an attack tool. For those with less experience, ChatGPT could potentially provide them with the very basics of an attack, but nothing advanced enough to pose a genuine threat to sophisticated defences – yet.
Keeping pace
Whether ChatGPT poses a genuine threat to businesses now or not, it still gives a glimpse of what is still to come on our dynamic technological journey. That’s not to say that we can’t make effective use of these advancing tools, we should just be mindful of who else is using them and in what context.
The pros and cons need to be analysed and, from a security perspective, rigorously scrutinised and tested. Modern cybersecurity is well equipped to handle ChatGPT in its current state, but it’s what lies ahead that we need to keep a close eye on in order to stay prepared.
