ChatGPT for CTI Professionals
In 1950, Alan Turing, the father of modern computing, asked, “Can machines think?” Over the years, that question has evolved into a quest for inventing machines that can understand and generate human-like text and has turned into a helpful assistant that comes to us like a speedster at most points today. One of the most discussed events today is Natural Language Processing (NLP), a branch of artificial intelligence within computer science that focuses on helping computers understand how humans write and speak, and one of the Artificial Intelligence-supported chatbots, ChatGPT.
According to UBS, ChatGPT is the first Large Language Model (LLM) easily accessible to customers. And it can be used as an assistant in multiple disciplines intensively. It is based on the Generative Pre-trained Transformer (GPT), a natural language processing (NLP) model developed by OpenAI using a deep learning technique called transformer architecture. It is commonly used in NLP tasks such as language translation and text generation. ChatGPT is designed to understand context, generate text, and accurately answer questions.
The power of ChatGPT lies in its ability to analyze and process large volumes of data quickly and efficiently. By leveraging ChatGPT’s capabilities, Cyber Threat Intelligence (CTI) professionals can use it to gather, analyze, and generate insights from a wide range of information sources, including threat feeds, dark web forums, and security blogs. Furthermore, ChatGPT can be used to automate repetitive tasks, allowing CTI professionals to focus on higher-level analysis and strategic decision-making. Its ability to generate human-like text makes it an excellent tool for creating well-structured reports and facilitating collaboration among CTI teams.
In this article, we will delve into the various applications of ChatGPT in the CTI domain; it is important to recognize the potential benefits it can bring to CTI professionals and the broader cybersecurity community. By understanding the capabilities of ChatGPT and harnessing its power effectively, CTI professionals can stay one step ahead of cyber adversaries and better protect their organizations from cyber threats.
Applications of ChatGPT in CTI
Threat Intelligence Gathering
CTI professionals often need to gather threat intelligence from a multitude of sources, including open-source intelligence (OSINT), technical intelligence (TECHINT), and human intelligence (HUMINT). ChatGPT can be invaluable by automating data scraping and consolidating information from various sources, such as social media platforms, blogs, and forums. By quickly and efficiently processing data, ChatGPT enables CTI professionals to maintain an up-to-date understanding of the evolving threat landscape and focus on generating actionable insights.
ChatGPT can extract the desired information from any article forwarded to it; in the example below, when we ask how a CTI professional would benefit from SOCRadar’s Sandworm threat actor article, it lists essential information as output.
Analysis and Enrichment
For CTI professionals, it is crucial to identify relevant patterns, correlations, and anomalies in the collected data to develop actionable intelligence. ChatGPT’s understanding capabilities can significantly enhance this process by providing context and enriching raw data. By filtering out noise and irrelevant information, ChatGPT enables CTI professionals to concentrate on the most critical threats, thus improving the overall effectiveness of their threat analysis efforts.
When we ask ChatGPT about a part of the Linux log we took as a sample from the loghub repository, it tells us the IP address in the logs and what the logs are about, what the attack is, and what the problem in the logs is in an understandable way:
Automation of Routine Tasks
CTI professionals are often burdened with time-consuming routine tasks, such as generating reports, monitoring threat feeds, or analyzing log data. ChatGPT’s capabilities can be applied to automate these tasks, allowing CTI professionals to dedicate their time to higher-level tasks and improving the overall efficiency and effectiveness of CTI processes.
As a result of our request, ChatGPT wrote a script, as seen below, that can automate the process of extracting the IP address in the log file with a regular expression (regex) and querying whether the IP address is malicious or not:
Improved Collaboration and Knowledge Sharing
As CTI professionals work in teams, effective collaboration and information sharing are vital for success. ChatGPT can be a valuable knowledge repository and facilitate information sharing among team members. Its ability to generate summaries, provide explanations, and answer questions about specific threats or incidents helps promote effective collaboration and informed decision-making among CTI professionals.
When we asked ChatGPT to generate a Structured Threat Information Expression (STIX), a standardized language for sharing cyber threat intelligence, with the sample IOCs we received from LockBit in the CTI module of the SOCRadar platform, we obtained the following output from ChatGPT:
Malware Analysis
ChatGPT’s capabilities can be leveraged for malware analysis by assisting CTI professionals in identifying and classifying malware samples. It can help quickly recognize patterns and anomalies in code, suggesting potential indicators of compromise (IOCs). ChatGPT can identify key attributes such as the malware family, associated C2 infrastructure, and other relevant information by analyzing a malware sample. This insight can then be used to develop actionable intelligence for defending against similar threats who use the same malware on their operations.
Also, when we ask ChatGPT about the GitHub repository where the source code is available, it gives an informative explanation:
Furthermore, ChatGPT can assist CTI professionals in reverse engineering malware to better understand its functionality and behavior. By analyzing the malware’s code, ChatGPT can identify critical components, such as encryption algorithms, communication protocols, and persistence mechanisms, providing valuable information for mitigation and defense efforts.
When we gave ChatGPT the vault-door-1 exercise, one of PicoCTF’s Reverse Engineering exercises, it successfully completed this challenge:
YARA Rule Writing
YARA is a powerful tool CTI professionals use to identify and classify malware samples based on specific patterns. ChatGPT can generate YARA rules based on the attributes identified during malware analysis. ChatGPT can create highly accurate YARA rules to detect and categorize specific malware families or variants by processing large amounts of malware samples and understanding their patterns. This automated process saves CTI professionals’ time and helps organizations strengthen their defenses against evolving threats.
For RedLine Stealer, which we took as a sample and shared the output of the strings function to ChatGPT, we requested GPT to get the important strings and create a YARA rule for us:
ChatGPT listed important points from our prompt and then wrote an example YARA rule for this scenario:
Threat Hunting
Threat hunting is a proactive approach to identifying and mitigating potential threats before they can cause significant damage. ChatGPT can be utilized in threat-hunting operations by providing actionable intelligence on potential threats and suggesting areas of interest within a network environment. (By analyzing network logs, endpoint data, and other relevant information, ChatGPT can generate hypotheses for CTI professionals to investigate further.) This capability enhances threat-hunting efforts by focusing on high-priority targets and improving overall security posture.
Furthermore, ChatGPT can support CTI professionals by helping to develop custom threat-hunting playbooks tailored to an organization’s specific environment and threat landscape. By providing insights into novel tactics, techniques, and procedures (TTPs) used by adversaries, ChatGPT enables CTI professionals to devise more effective threat-hunting strategies.
Security Intelligence Integration
ChatGPT can play a significant role in integrating security intelligence from different sources. By leveraging ChatGPT’s capabilities, CTI professionals can aggregate and correlate data from diverse sources, such as threat feeds and security blogs. This enriched and contextualized intelligence can be used to make more informed decisions about an organization’s security posture and enhance overall risk management.
Predictive Analysis and Trend Identification
One of the key benefits of security intelligence is its ability to identify trends and enable proactive decision-making. ChatGPT can assist CTI professionals in predictive analysis by identifying patterns and trends in the collected data. By analyzing historical data and recognizing the evolving threat landscape, ChatGPT can generate insights to help CTI professionals anticipate future threats and adjust their security strategies.
Enhancing CTI Processes with ChatGPT
Obtaining Data
A critical part of CTI is obtaining data from various sources, including open-source intelligence (OSINT), technical intelligence (TECHINT), and human intelligence (HUMINT). ChatGPT can streamline this process for CTI professionals by automatically scraping and consolidating data from various sources, such as social media platforms, blogs, and forums. This ability to gather information quickly and efficiently enables CTI professionals to maintain an up-to-date understanding of the evolving threat landscape.
Analyzing Data
Once data has been obtained, it must be analyzed to extract meaningful insights and develop actionable intelligence. ChatGPT can assist CTI professionals in identifying patterns, correlations, and anomalies in the collected data. Additionally, it can help filter out noise and irrelevant information, enabling CTI professionals to focus on the most critical threats.
Prioritizing Threats
With the vast amount of data collected from various sources, CTI professionals often face the challenge of prioritizing threats. ChatGPT can aid in this process by automating identifying and ranking threats based on factors such as severity, potential impact, and the organization’s risk tolerance. By prioritizing threats effectively, CTI professionals can allocate resources efficiently and focus on addressing the most critical issues.
Reporting and Communication
Clear and concise reporting is crucial for communicating the findings of CTI analysis to various stakeholders within an organization. ChatGPT can assist in generating well-structured and informative reports tailored to the audience’s needs, whether they are technical staff, executives, or board members. By automating the reporting process, CTI professionals can ensure that their findings are effectively communicated, leading to more informed decision-making and improved security outcomes.
Conclusion
As the cyber threat landscape evolves, CTI professionals need advanced tools to stay ahead of the curve. ChatGPT offers a powerful solution that can be used to improve various components of CTI processes. ChatGPT enables CTI professionals to concentrate on generating practical insights and protecting their organizations or clients against cyber threats by automating gathering data, improving contextual analysis, simplifying regular tasks, and facilitating collaboration.
Exciting news emerges as SOCRadar Extended Threat Intelligence (XTI) announces its plan to integrate AI support into its platform. This integration will enable professionals to take advantage of AI’s capabilities in areas such as malware analysis, YARA rule writing, and threat hunting, allowing them to stay ahead of emerging threats. Starting with Phase 1, the AI will learn from public threat intelligence reports, delivering vital information within seconds that typically take hours to gather. The platform also plans to transform its knowledge into an easy-to-use Q&A format, making it accessible for users without extensive training.
As AI technology advances, ChatGPT and other AI tools will offer increasingly valuable benefits to CTI professionals, broadening their potential applications within the field.