ChatGPT Does Cybersecurity Series: Yes!

It’s been 24-months since my last post.  Been busy. Work. Life. Good. Hiatus over. Glad to be back.

In the 40+ years of my work career in tech, I have experienced four major epochs marked by truly disruptive technical innovations. The first three: PC, Web, iPhone.  Add to that a fourth – generative AI goes mainstream. And if we credit Microsoft for the PC, Netscape for the Web, and Apple for the iPhone, let’s give credit to OpenAI for ChatGPT.

The November 2022 public beta release of ChatGPT has been a major industry event. Much has been written on its strengths and limitations, its potential for good and bad, and its business impact.  

Since the last beta release, I’ve been putting ChatGPT to the test. My interests are strictly professional – ‘can I use it as a tool for my work as a cybersecurity intelligence analyst’? My conclusion – absolutely, but with some qualifications. Citing sources is a key part of the intelligence analyst job. This is an area of weakness, but not a disqualifier. The reality is that even if you like the answers that ChatGPT gives you, you’ll still need to search for the sources behind the answers. And as always: trust, with skepticism. And verify. 

I’ve concluded that ChatGPT can be a powerful tool in the cybersecurity intelligence analyst’s toolkit. View it as productivity aid, an intelligent assistant. It can help shape your inquiries and influence your assessments. But to get the most out of it, you need to know how to formulate good questions and to engage ChatGPT in dialogue. 

To appreciate its potential, think of questions you might ask a job candidate to test their technical suitability.  Like this:

Question: What is passive DNS?

Answer: “Passive DNS is a system used to track and log information about DNS resolutions. It operates by passively collecting data from various sources (such as DNS servers or network traffic) and recording it into a database, allowing researchers and analysts to better understand how domain names are used and how they resolve to IP addresses over time.”

So far, so good. Now for a trick question:

Question: Is the MITRE ATT&CK model a cyber-attack detection tool?

Answer: “No, the MITRE ATT&CK model is not a cyber-attack detection tool. It is a comprehensive framework that provides a comprehensive understanding of the tactics, techniques, and procedures (TTPs) used by cyber adversaries. The model can be used as a reference to develop and evaluate threat detection capabilities, but it is not a standalone solution for detecting attacks. To effectively detect cyber-attacks, organizations should use a combination of security tools and practices, such as intrusion detection systems, endpoint protection, security information and event management (SIEM) systems, and incident response plans. The MITRE ATT&CK model serves as a valuable resource for understanding the tactics and methods used by attackers and can help organizations prioritize their defense strategies.

The candidate knows its stuff. Maybe a little verbose, but we can chalk that up to being eager to impress. With the right mentoring, this candidate has high potential. Recommendation – extend an offer. 

Leave a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest