Guest Post: Threat Trends: AI and the Security Practitioner

Artificial Intelligence (AI) entered the public zeitgeist at the launch of ChatGPT toward the end of 2022 (despite machine learning and AI research having been ongoing for decades). AI is an extraordinarily broad topic that means many things to many people—with conversations ranging from having it take over basic machine learning tasks to support (or replace) workers to advanced systems that can manage our increasingly interconnected digital society at inhuman speeds. This blog will not add to the growing list of predictions forecasting massive job loss, nor will it discuss the potential of a new utopia (or dystopia) just over the horizon.

This blog follows our recently posted piece from FortiGuard Labs, titled “A Tentative Step Towards Artificial General Intelligence with an Offensive Security Mindset,” which looked at the potential impact of AI on cybersecurity. It examines how security practitioners can leverage AI as a practical tool to take on specific tasks, thereby creating time for IT teams to investigate more pressing or interesting topics.

For this blog, I look at the large language model (LLM)-based examples of AI that have recently become generally available (e.g., ChatGPT, Google Bard, Microsoft Bing AI). Of course, AI is more than chatbots. However, they do make it very easy to demonstrate my point.

A Day in the Life

As a Senior Threat Intelligence Engineer at Fortinet, my job requires me to search for, reverse engineer, and blog about malware. Each function requires multiple steps (sometimes unique, depending on the topic). And at times, many of these steps can be time-consuming. Enter automation.

Automation is one of the security industry’s holy grails. It allows data to be collected and correlated, threats or vulnerabilities to be identified, and a fully coordinated response to happen before a malicious actor can complete their objective. And in many cases, tools exist to enable this activity, such as Security Automation and Orchestration (SOAR) solutions. However, there are places and scenarios where this sort of technology is not available or practical, especially on a smaller scale. AI can help in some of these circumstances.

I’ll share three examples of where I’m actively using AI (specifically, ChatGPT) to save time in my everyday work stack.

YARA

One of the most common tasks in my role is to create YARA rules to help me search for interesting malware samples that I can reverse engineer and then blog about. YARA is an open-source, multi-platform tool that uses strings and binary pattern matching to aid in the identification and classification of malware. As you can imagine, writing such rules requires carefully thinking about what should be searched for. In many cases, this involves using terms that are current, especially items in the news that could be readily adapted to file names and e-mail lures that will attract people to click on them.

To illustrate this, let’s use the Reuters technology news homepage as an example. A search usually involves scanning the site for stories, distilling keywords or phrases from them, and then adding them to a YARA rule. With internet access and browsing capability, AI can shortcut this process. Rather than searching manually, I can direct the AI to summarize an entire news page:

The distilled information it provides makes the usefulness of the chat model readily apparent. Once this search is completed, I can direct the AI to take the story summaries and create keywords and phrases.

Once these keywords and phrases are created, I can now have the AI create my YARA rules.

It’s only taken a few moments to generate what would have taken me a significant amount of time to manually scan and compile the same data.

The final product, however, isn’t quite done (at least for me). Because the world is multi-lingual, malware and phishing lures are also delivered in multiple languages. Therefore, our YARA rule should incorporate multi-lingual searches to cast the widest possible net.

Performing this step manually, where I would have had to translate one phrase into one language at a time, would have previously been quite time- and labor-intensive to convert one phrase and one language at a time. But with an appropriately crafted ask, AI can provide them all simultaneously in seconds.

By saving the context of this conversion, I can request this same action repeatedly, using a new URL and having it output fresh rules as often as circumstances require.

Code Prototyping

When investigating malware samples, writing stand-alone scripts or applications is often required for scenarios that require too much time or labor using another method.

Before introducing AI into my workflow, this meant finding an older script on my dev/analysis machine and then repurposing it to solve whatever problem I was working on. But now, even if the end state still requires some manual coding, AI cuts the initial setup and prototyping to a minimum.

For example, I had been working on a sample that decrypted a data block using RC4. I asked ChatGPT to assist by creating a Python script that allowed for reusability by ingesting the encrypted block by file read.

Quite helpfully, not only are the instructions for running the code as-is provided, but it also includes instructions for installing and applying the needed Python cryptographic library used for the heavy lifting of the decryption.

There is also an important reminder at the close of the run that warns the user that RC4 is no longer considered to be cryptographically secure and should not be used for anything sensitive. This, of course, isn’t a problem as the use case is related to malware.

Cross-Platform Creation

Occasionally, malware sections are created and deployed using a language less conducive to analysis, and it becomes easier to analyze them by translating those sections into something a bit more familiar.

An excellent example is Go, a development language created by Google. Go is gaining a following because it has several memory safety enhancements that give it security advantages over traditional C and C++.

However, to better understand how a particular malware function operates, it can be helpful to translate it into something like Python 3.

The Go code in Figure 9 above generates a random string based on a size input. To more easily evaluate this function, we can ask ChatGPT to translate it into Python.

The AI gives us a Python 3 equivalent. It also helpfully distinguishes the library “random” in the first example in Figure 10 as not being cryptographically secure and provides us with a second option to use if desired.

Caveats

As with anything, simply accepting results as-is from an AI can lead to undesired consequences. It’s possible to get code that won’t function as desired, or the answers to queries can result in what’s known as a hallucination, where a confident response is unjustified by the training data. For example, the AI may confidently share information that is incorrect or, worse, seems to have been entirely made up.

As a result, checking results before using them is a critical quality assurance task to ensure that correct assumptions and conclusions are achieved.

Conclusion

In this blog, I’ve shared three examples of where a security practitioner may find an AI agent or chatbot helpful, helping expedite actions and simplify essential tasks. There are many others. But hopefully, while it showed that AI can streamline and automate specific tasks, it is also not yet able to replace an actual practitioner. It also requires someone to know how to ask the right questions to ensure the AI does the required job.

Whether we like it or not, the era of AI is upon us. However, it is vital to recognize its limitations and incorporate it as another tool on our belt. Ultimately, it’s how it is used by people and organizations that will determine its benefit or detriment to society.