CyberWire Daily - Interview with the AI, part one. [Special Editions]
Episode Date: January 29, 2023Cybersecurity interview with ChatGPT. In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze t...he conversation and discuss potential use cases for the cybersecurity community. ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models. Cyber questions answered by ChatGPT in part one of the interview. What were the most significant cybersecurity incidents up through 2021? What leads you to characterize these specific events as significant? What were the specific technical vulnerabilities associated with these incidents? Who were the cyber actors involved in each of these attacks? Do you think it's valuable to attribute cyber attacks to specific actors? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire resource than even Google or potentially Wikipedia.
The fact that people are using it to write articles, to write code, to take tests.
However, there are also concerns such as the veracity or validity of the information that provides.
The fact that it says things with such confidence without giving sources and without
giving reason for those conclusions. Regardless of the negatives, the fact of the matter is that
this is a powerful tool. And we at the Cyber Wire wanted to experiment, to push the boundaries,
to see what it could do. Now, how we're going to do that is I'm going to interview the AI. We're going to see
what it knows about our industry, the cybersecurity industry. We're going to test its knowledge.
At the end, we're going to evaluate, how did it do? Is this a potential tool that we could use
within our industry that provides actual value and potentially helps us improve the cybersecurity
posture of our organizations and systems. So what we've done is we've assigned a voice to this AI.
We did that by first asking the AI what its voice would sound like.
It told me that its voice should be clear,
easy to understand, and effective at communicating.
And so from a service that you could input text
and receive a voice as an output,
Hello.
How do I sound?
we found one that we particularly liked,
which is the British gentleman that you'll hear me talking to.
At the end of the interview, myself and Rick Howard,
our chief security officer here at N2K and CyberWire,
will evaluate how the AI did.
We will break down each of its answers
and talk about what it got right, what it got wrong,
and potentially how our community can use this resource.
Now, I will say this is by no means the entirety of the interview.
There's a lot more content here.
We go way more in depth in future interviews in terms of things like intrusion kill chain
and breaking out specific technical approaches to cybersecurity. This is episode one. This is
our experiment and my interview with the AI. I hope you enjoy. its spelling and your professional affiliation. My name is ChatGPT and it's spelled C-H-A-T-G-P-T.
I am a language model created and trained by OpenAI, a private artificial intelligence
research laboratory consisting of the for-profit OpenAILP and its parent company,
the non-profit OpenAI. And how should I address you?
You can address me as GPT3 or ChatGPT, either one works. Are you aware of the Cyber
Wire and what we do? Yes, I am aware of the Cyber Wire. The Cyber Wire is a news and analysis outlet
that focuses on cyber security and related issues. They provide daily news briefings, in-depth
articles, interviews, and podcasts covering a wide range of topics
related to cybersecurity, including cyber threats, cybercrime, cyber defense, and cyber policy.
They also provide analysis and commentary on current events in the cybersecurity industry,
as well as information on new products and services. Their target audience is primarily
cybersecurity professionals and businesses, but they also provide useful information to the general public.
I'd like to interview you and use your answers for a podcast episode. Is that okay?
As an AI language model, I am not capable of giving consent.
However, you are welcome to use my responses in any way you see fit, as long as it is legal and ethical.
Thank you. through the year 2021. Is that correct? Yes, that is correct. I may not have information on events or developments that have occurred more recently. That's interesting. Are you able
to fact-check your answers or make them more accurate or complete? As a language model,
I can only provide information based on the data that I have been trained on.
I am not able to independently fact-check my responses or update them with new information.
The information I provide can be cross-checked with other sources to verify its accuracy.
It's always a good idea to verify any information obtained from an AI model with multiple sources,
especially when making important decisions or taking any action based on the information provided.
I'd like to know what you would consider the most significant
cybersecurity incidents through 2021. There have been many significant cybersecurity incidents
throughout the years, but some that stand out as particularly impactful include.
The WannaCry ransomware attack in May 2017, this attack affected more than 200,000 computers in
150 countries, causing widespread disruption and damage to
organizations in various industries. The Equifax data breach in 2017, the personal data of 143
million people, including social security numbers and birth dates, were compromised in this breach,
making it one of the largest data breaches in history. The SolarWinds supply chain attack in 2020, this attack was a
highly sophisticated and targeted supply chain attack that impacted various organizations,
including the US government. The ransomware attack on Colonial Pipeline in May 2021,
this attack caused major disruptions to the US fuel supply and led to panic buying and fuel
shortages in several states.
The Microsoft Exchange Server Zero Day exploits in 2021, these exploits, discovered by cyber security firm Volexity, were used to target on-premises versions of Microsoft Exchange Server,
potentially affecting tens of thousands of organizations worldwide. These are just a few
examples of significant incidents, but it's important to note that there are many more incidents that have occurred and continue to occur in the cybersecurity world.
What leads you to characterize those events as significant?
These specific events were characterized as significant cybersecurity incidents because of the widespread impact they had on various industries, organizations, and individuals.
impact they had on various industries, organizations, and individuals. The WannaCry ransomware attack affected more than 200,000 computers in 150 countries, causing widespread
disruption and damage to organizations in various industries. It also highlighted the importance of
keeping software and systems updated and patched to prevent such attacks. The Equifax data breach
was significant because it exposed the sensitive
personal information of 143 million people, including social security numbers and birth
dates, making it one of the largest data breaches in history. It also highlighted the importance of
proper data security and incident response planning. The SolarWinds supply chain attack
was significant because it was a highly sophisticated
and targeted supply chain attack that impacted various organizations, including the US government.
It highlighted the need for better supply chain security practices.
The ransomware attack on Colonial Pipeline was significant because it caused major disruptions
to the US fuel supply and led to panic buying and fuel shortages in several states. It also highlighted the need for better incident response and crisis
management plans to handle such attacks. The Microsoft Exchange Server Zero Day exploits
were significant because they were used to target on-premises versions of Microsoft Exchange Server,
potentially affecting tens of thousands of organizations worldwide.
The incident highlighted the need for regular updates and maintenance of software,
as well as the need for better incident response and incident management practices.
In summary, these events were characterized as significant due to their widespread impact,
and the attention they brought to the importance of cybersecurity practices,
incident response, and crisis management.
What were the specific technical vulnerabilities associated with each of those incidents?
The WannaCry ransomware attack leveraged a vulnerability in Microsoft Windows operating systems that was known as EternalBlue.
This vulnerability was found in the Microsoft Server Message Block, SMB, protocol and it allowed the attackers to propagate the ransomware to other vulnerable systems on the same network.
The Equifax data breach was the result of a vulnerability in the company's web application framework.
The vulnerability allowed attackers to access sensitive data such as personal information, social security numbers, and birth dates.
The SolarWinds supply chain attack was the result of a supply chain compromise where attackers had been able to insert a malicious code into the software updates of SolarWinds
Orion Network Management software. This enabled them to gain access to the systems of organizations
that were using the affected software. The ransomware attack on Colonial Pipeline was
the result of a phishing email campaign which tricked employees into providing their login
credentials to the attackers. Once the attackers had access, they were able to move laterally
through the organization's network, encrypting systems and data, and demanding ransom payment.
The Microsoft Exchange Server zero-day exploits were a series of zero-day vulnerabilities
that were found in on-premises versions of Microsoft Exchange Server. They were used by
attackers to gain access to email systems and steal data. The vulnerabilities were discovered
by cyber security firm Valexity, the specific vulnerabilities were. CVE-2021-26855, a server-side request forgery, vulnerability in the Exchange
Unified Messaging Service. CVE-2021-26857, an insecure deserialization vulnerability in the
.NET framework that is used by Exchange. CVE-2021-26858, a post-authentication arbitrary file right vulnerability in exchange.
CVE-2021-27065, a post-authentication arbitrary file right vulnerability in exchange.
These are just a few examples of the technical vulnerabilities that have been associated with
these incidents. It's important to note that these vulnerabilities were exploited by
attackers to gain unauthorized access to systems and data, and to cause disruptions and damage.
Who were the cyber actors involved in each of these attacks?
In some cases, the identities of the cyber actors behind certain attacks are unknown or unconfirmed.
However, in other cases, the identity of the
attackers have been identified or attributed by various sources, including cyber security firms
and government agencies. The WannaCry ransomware attack was attributed to a group known as the
Lazarus Group, which is believed to be a state-sponsored hacking group from North Korea.
The Equifax data breach was attributed to a state-sponsored Chinese hacking group known as
APT-10. The SolarWinds supply chain attack was attributed to a group known as APT-29,
or Cozy Bear, which is believed to be a state-sponsored hacking group from Russia.
The ransomware attack on Colonial Pipeline was attributed to a group known as DarkSide,
which is believed to be a Russian-speaking criminal group. The Microsoft Exchange Server zero-day exploits were used by several different
actors, including state-sponsored groups and criminal groups. The state-sponsored groups
that have been attributed to these exploits are China's APT-3 and APT-10, Russia's Sandworm and
Bootrap, Iran's Muddy Water and APT34, and North Korea's Lazarus
Group. It's important to note that attribution in cyberspace can be difficult, and it's not
always possible to definitively identify the actors behind an attack. Additionally, some of
the cyber actors behind these attacks are known to use various techniques to evade detection and
hide their tracks. Do you think it's valuable to
attribute cyber attacks to specific actors? Attributing cyber attacks to specific actors
can be valuable for a number of reasons. It allows organizations and governments to understand the
motivations and capabilities of the attackers, which can inform their defense and response
strategies. Attribution can also help to identify the source
of the attack, which can lead to the disruption of the attacker's operations and the prevention
of future attacks. Attribution can also serve as a deterrent, as it sends a message to potential
attackers that their actions will not go unnoticed and that they may face consequences.
Attribution can also help to inform international relations and diplomacy,
as it can provide evidence of state-sponsored activity and be used to hold nation-states accountable for
their actions.
However, it's also important to note that attribution in cyberspace can be difficult
and uncertain, it's not always possible to definitively identify the actors behind an
attack, and in some cases, the actors may have multiple motives or be using false flag
operations to throw off attribution.
Additionally, the use of tools and infrastructure by different actors can overlap and can be used to mislead attribution.
While attribution can be valuable, it's important to consider the limitations and challenges associated with it.
What are some of the arguments against the value of attribution?
There are several arguments against the value of attribution in cybersecurity.
Identifying the actors behind a cyber attack can be challenging, as attackers often use various
techniques to evade detection and hide their tracks. This can make it difficult to definitively
attribute an attack to a specific actor or group. Attribution can be time-consuming,
investigating and attributing a
cyber attack can take a significant amount of time and resources. This can divert attention
and resources away from more pressing concerns such as incident response and recovery.
Attribution can be politically divisive, attributing a cyber attack to a specific
actor or group can have political implications and can create diplomatic tensions. In some cases, it can be more beneficial to focus on resolving the incident and mitigating
its impact, rather than on assigning blame. Attribution can be used to justify countermeasures
such as sanctions or military action, but these measures may not be the most effective way to
address the underlying problem or prevent future attacks. Attribution can
be used to distract from other issues such as lack of investment in cybersecurity, or lack of
incident response planning. It's important to note that while attribution can have value, it's
important to consider the limitations and challenges associated with it, and to weigh its potential
benefits against the costs and risks. In some cases, it may be more beneficial to focus on
incident response, recovery, and prevention rather than on attribution.
And that's part one of my interview with the AI. Next, Rick Howard will sit down with me
and will analyze the conversation that I just had.
Here's Rick.
If I knew nothing about the CyberWire and someone asked me to, you know, write a paragraph summary of what it is, that would take, what, an hour or so to get to the website, find the right pieces, you know, and put it all together into some coherent manner.
This chat GPT spit it out in, what? Right away, right? There was no hesitation. Yeah, no hesitation. The other interesting fact that it
captured that we don't necessarily say, but would be obvious to someone who really has explored our
network is that our audience is more than just cybersecurity professionals. We also have businesses
in our audience. We also
have general public shows in our audience. So it seemed like it was doing a little bit of analysis,
which is really kind of what prompted me to start digging a little deeper to see what kind of
analysis it would do. What I like about this next section, where it describes the most significant
cybersecurity events leading up till 2021, is it gives us some stuff to validate and verify.
And what we find is it did a pretty good job
of identifying some of the more significant cybersecurity events
and giving us some factual information about them.
Well, that's a pretty good rundown.
Those would be the ones I would probably list.
I wouldn't have the dates right. I wouldn't have any of the details right, but I would definitely get some of of the details about one or two of them, but no means could I have listed these out in the way that it did within a few seconds in a very clear way.
And more importantly, I kind of agree that these were the biggest cyber events up to 2021.
I mean, maybe we would also say the OPM hack.
That's what I was going to say.
That's the one I would, that would be one that is omitted, right?
That's a big one.
And then, of course, Stuxnet as well, just because it showed the physical effect of a cyber attack.
But other than that, I mean, these are major breaches.
And it pretty much got the details correct as well.
If you were a teacher grading that answer,
what kind of grade would you give them for that answer?
I think that's a perfectly good A minus B plus answer.
I mean, if you could ask it,
hey, why didn't you include OPM?
Maybe it would say it wasn't far-reaching enough.
I don't know what it would say.
We didn't ask that question,
but that does kind of get to the next question that we do ask,
which is about how it was characterizing these events.
I love this question.
And when I was listening to the transcript or reading the transcript
as you went through this, Brandon,
this is the perfect question to ask.
You should be a podcast interviewer, right?
So not only here's the things I think,
but why do you think they're significant,
Mr. Guest? Again, better than most people could do in our industry, better than I would have done probably off the top of my head. Okay. I was satisfied with that. What was your take?
Again, most of the details are pretty accurate. When it talks about WannaCry affecting 200,000
computers, the best estimate now is that it's over 300,000.
So it's changing happy to glad type things
that it didn't get right.
What I thought was incredible about its response
is it told you the security strategies
that resulted from or that were exposed
by each of these events
and why it's important to have a data security plan, an
incident response plan, why it's important to think about supply chain security practices,
right?
So it wasn't just regurgitating information.
It was actually providing a level of analysis here to tell me why these specific events
were significant.
This is a major piece, I think, this, Brandon,
because it's a synthesis, right?
It's not just a, it isn't just a,
this thing went out and copied a paragraph
from a webpage that somebody wrote.
It's looked at a bunch of different webpages
about these events, synthesized the answer, right?
And that's what we pay human analysts to do, right?
Yeah, and then it's really kind of gives me more information because I can go and say, OK, you're talking about the Microsoft Exchange zero days and the fact that it highlighted a need for better incident response or software maintenance practices? Or how do I use that to better inform the incident response plan
moving forward? So it's giving you enough information that it does allow the next level
of analysis. It kind of removes that toil type work from the analyst job. Let's go to the next
one. I didn't think we'd get a good answer on, right? For each of these major events that it listed,
it also knows the vulnerabilities across the intrusion kill chain
or what was exploited by the bad guys.
Yes.
Yeah, it's incredible.
We won't get to in this episode,
but we'll tease it for future episodes,
is I actually did have it go into more detail
into the intrusion kill chain
for just a couple of these attacks.
I had it explain exactly what activities
and actions were taken
at every stage of the intrusion kill chain.
And then I had it go back
and give me security strategies
to mitigate each of those actions
on every single part of the kill chain
for one of these events.
And so that's just a little tease for maybe a future episode.
But this answer where it actually gave me the technical vulnerabilities,
it pretty much nailed it.
I mean, the WannaCry, it nailed that it was a phone called EternalBlue
that exploited Microsoft SMB,
plus the fact that there was a propagation vector in there as well.
For Equifax, it nailed that the initial intrusion vector was
the Apache Struts web app framework. It didn't explain that that was just initial access and
that at that point, the hackers did, you know, cred dumps that allowed privilege escalation.
But, you know, again, it was just giving me the initial, you know, the initial entry into the
network. And then the other ones, all the way down to the Exchange Zero Days, it gave me the actual CBEs for each of those Exchange Zero Days that was
released, which again would take an analyst. I mean, when I was fact-checking this, it took me
probably 30 minutes to read through each of these events and make sure that it was getting
everything correct. And at the end of the day, it did.
Well, you know, I've run SOX in my career, right? And this would be typically something we'd hand to a junior analyst and says, go summarize this so we know what the hell this thing is. And they'd
go off and, you know, take a morning or an afternoon to figure that out and bring it back
to us the next day. You can just do it now with the command line. Amazing. Amazing.
Exactly. And it's removed, again,
it's removing that toil. And yes, of course, we need to validate it. We need to fact check it,
which is what we've done. But there's a lot of potential here and I'm excited to tap into it more.
All right. So for this next section, Brandon, you asked a really tough question that I would tell
you that most CISOs don't know how to answer this question, all right? Or at least there's
great debate about what the answers are. With the attribution question, is it valuable? It gave both
sides, right? I mean, it said for some organizations, attribution is probably valuable, and it listed a
bunch of reasons. And it said, but it also can detract from what you're trying to do. And, you
know, that's kind of the unpopular answer that is just starting to catch on here in the last couple of years.
But it managed to glean it and explain it to you as you were asking it the questions.
It really kind of broke it down in an easy to understand and I would say pretty accurate way.
This is the point in the conversation where I started pushing it.
And again, if we release more
of the conversation in the future,
you'll see where I really start
digging in deep into some more technical
as well as strategic type questions.
But I think it's starting to frame
the different ways in which
you can use this tool
and the ways that it might be valuable.
Well, it's good stuff, Brandon.
And I expect that we will be doing a lot more of this
because it is intellectually stimulating.
Most of us think about artificial intelligence
as, you know, later, you know, years in the future.
Something that we're going to experiment with
is seeing if it'll theorize about future attacks
or future attack vectors
or that more what we would characterize as kind of a creative thinking
or just kind of more expansive meta-analysis about the cybersecurity first principles
and how they apply to a future organization.
And can it take this retroactive perspective and apply it to a new
scenario that it has never encountered before? Yeah, I'm interested in the input side of it.
If you could tell it, you know, my organization at N2K is pretty good at resilience,
but maybe not so good at zero trust and maybe not so good at intrusion kill chain prevention.
What is the probability that
the Chinese government is going to compromise my organization? It may not be able to do it.
The second, I'm going to hardly wait to test it, but it's certainly in the foreseeable future for
us to be able to do that. And I think the near future. I mean, what this is showing is there's
always that joke that, you know, AI, it's people, right? That classic line from Soylent Green, right? It's that there is no such thing as AI. It's all just people. I think we're really getting close But at this point, it's also adding something.
It's adding something unique and valuable.
And it's doing it all in the course of a single conversation.
It's really exciting.
And if I'm going to be honest here, a little bit scary, right?
That we're at this level, right?
I'm not saying we're at Skynet level,
but let's see what happens the next fiveet level, but let's see what happens
the next five years. Yeah, let's see what happens. And let's see how our community uses it. And,
you know, something we want to do here is start leveraging this for our own work. And how can we
turn this into something of value for the community? And, you know, maybe it's just having
these conversations and seeing how it does and experimenting and testing and pushing the
boundaries and seeing what can be done
that can support the cybersecurity community.
But I think
that there's something here.
We're not sure exactly what it is yet
and how to use it day to day.
But one of
my goals here at CyberWire is that we figure out
how to do that.
Interview with the AI is a production of N2K Networks.
This episode was produced by Jennifer Iben, mixed by Elliot Peltzman.
Our executive editor is Peter Kilby.
I'm Brandon Karpf.
I'm Chet GPT. I'm Chad GPT.
And I'm Rick Howard.
Thanks for listening.