Imagine this scenario: you receive an email from your CEO asking you to send some information over. It’s written in her exact tone of voice, using the exact language she typically uses, and even references her dog in a joke. It’s precise, accurate, and utterly convincing. The catch? It was crafted by generative AI, using nothing but some basic information fed to it from social media profiles by a cyber-criminal.
The emergence of ChatGPT has catapulted AI into the mainstream consciousness, and with it, real concerns about its implications for cyber defense. Within weeks of its launch, researchers were able to demonstrate ChatGPT’s ability to write phishing emails, craft malware code, and explain how to embed malware into documents.
Adding further fuel to the flame, ChatGPT isn’t the first chatbot to hit the market, nor is it the last. Just this past week, we’ve seen Google and Baidu throw their hats into the ring. So as the tech giants clamor to create the best generative AI, what will it mean for the future of cyber defense?
The barrier to entry likely hasn’t been significantly lowered yet
One of the first debates raised by ChatGPT was that of cyber security – could cyber-criminals use ChatGPT or other generative AI to make their attack campaigns better? Could it lower the barrier to entry for would-be threat actors?
ChatGPT is a powerful tool, and its broad-ranging potential use cases can help existing users become more efficient, aggregate knowledge, and automate lower-level tasks in a world marked by rapid digital transformation.
That said, generative AI isn’t yet the silver bullet that solves everything at once; it has its limitations. For starters, it only knows what it has been trained on and requires ongoing retraining. And as we’ve seen, the very data it has been trained on has also been called into question. Already, universities and news outlets are reporting concerns about the potential for AI-assisted plagiarism and the spread of misinformation. As a result, humans often need to verify its output – sometimes it’s hard to tell if ChatGPT just made up the content or if its output is based on reliable information.
The same applies to any application of generative AI to cyber-threats. If a criminal wanted to write malware, they would still need to guide ChatGPT through creating it and then double check the malware even works. A would-be threat actor would still need quite a bit of pre-existing knowledge on attack campaigns to use it effectively – meaning the barrier to entry hasn’t been significantly lowered just yet when it comes to the technical crafting of attacks, although of course some nuances do still exist – for example in creating credible phishing emails.
Generative AI-powered attacks mean quality over quantity
At Darktrace, we wondered if there was merit to concerns that ChatGPT might cause an increase in the number of cyber-attacks targeting businesses – so we did our own research across our customer base. What we found tells a slightly different story.
While the number of email-based attacks has largely remained the same since ChatGPT’s release, we observed that the number of phishing emails that rely on trying to trick the victim into clicking a malicious link has actually declined, however, the average linguistic complexity of the phishing emails has increased.
While of course correlation doesn’t mean causation, one theory of ours is that ChatGPT is allowing cyber-criminals to redirect their focus. Instead of using email attacks with malicious links or malware attached , criminals see a higher return-on-invest in crafting sophisticated engineering scams that exploit trust and solicit the user to take direct action, e.g. urge HR to change salary payment details for the CEO to the bank account of an attacker-controlled money-mule.
Imagine our hypothetical that we posited at the start: it would take mere minutes for a criminal to quickly scrape some information on a potential victim from their social media accounts and ask ChatGPT to create an email based on that information. Within mere seconds, that criminal would be armed with a credible, well-written, and contextualized spear-phishing email ready to send.
A future of machines fighting machines
The generative AI arms race will push tech giants to release the most accurate, fastest, and credible AI on the market. And it’s an inevitability that cyber-criminals will exploit this innovation for their own gain. The introduction of AI , which can also include deepfake audio and video, into the threat landscape will make it easier for criminals to launch personalized attacks that scale faster and work better.
For defenders charged with protecting their employees, infrastructure, and intellectual property, the answer will be to turn to AI-powered cyber defense. Self-learning AI on the market today bases its ability to identify and contain subtle attacks through a deep knowledge of users and devices within the organizations it protects. Through learning these patterns of life, it develops a comprehensive understanding of what’s normal for users within the real-world context of everyday business data. Put simply, the way to stop hyper-personalized, AI-powered attacks, is to have an AI that knows more about your business than external, generative AI ever could.
It’s clear that the introduction of generative AI to the mainstream is tipping the scales towards a war of algorithms against algorithms, machines fighting machines. For cyber security, the time to introduce AI into the toolkits of defenders is now.