Special Editions 1.29.23
Ep 48 | 1.29.23

Interview with the AI, part one.


Brandon Karpf: Hi, my name is Brandon Karpf. I'm one of the staff here at N2K Networks and CyberWire. Lately in our community, there has been a lot of conversation about ChatGPT, or GPT-3 - the fact that it seems to be almost a better resource than even Google or potentially Wikipedia, the fact that people are using it to write articles, to write code, to take tests. However, there are also concerns such as the veracity or validity of the information that it provides, the fact that it says things with such confidence without giving sources and without giving reason for those conclusions.

Brandon Karpf: Regardless of the negatives, the fact of the matter is that this is a powerful tool, and we at the CyberWire wanted to experiment, to push the boundaries, to see what it could do. Now, how we're going to do that is I'm going to interview the AI. We're going to see what it knows about our industry, the cybersecurity industry. We're going to test its knowledge. At the end, we're going to evaluate - how did it do? Is this a potential tool that we could use within our industry that provides actual value and potentially helps us improve the cybersecurity posture of our organizations and systems? 

Brandon Karpf: So what we've done is we've assigned a voice to this AI. We did that by first asking the AI what its voice would sound like. It told me that its voice should be clear, easy to understand and effective at communicating. And so from a service that you could input text and receive a voice as an output, we found one that we particularly liked, which is the British gentleman that you'll hear me talking to. 

Brandon Karpf: At the end of the interview, myself and Rick Howard, our chief security officer here at N2K and CyberWire, will evaluate how the AI did. We will break down each of its answers and talk about what it got right, what it got wrong and potentially how our community can use this resource. Now, I will say, this is by no means the entirety of the interview. There's a lot more content here. We go way more in depth in future interviews in terms of things like intrusion kill chain and breaking out specific technical approaches to cybersecurity. This is episode one. This is our experiment and my interview with the AI. I hope you enjoy. 

Brandon Karpf: Hi, my name is Brandon. I work for the CyberWire. 

ChatGPT: Hello, Brandon. How can I assist you today? 

Brandon Karpf: Could you please tell me your name, its spelling and your professional affiliation? 

ChatGPT: My name is ChatGPT, and it's spelled C-H-A-T-G-P-T. I am a language model created and trained by OpenAI, a private artificial intelligence research laboratory consisting of the for-profit OpenAI LP and its parent company, the nonprofit OpenAI. 

Brandon Karpf: And how should I address you? 

ChatGPT: You can address me as GPT-3 or ChatGPT. Either one works. 

Brandon Karpf: Are you aware of the CyberWire and what we do? 

ChatGPT: Yes, I am aware of the CyberWire. The CyberWire is a news and analysis outlet that focuses on cybersecurity and related issues. They provide daily news briefings, in-depth articles, interviews and podcasts covering a wide range of topics related to cybersecurity, including cyberthreats, cybercrime, cyberdefense and cyber policy. They also provide analysis and commentary on current events in the cybersecurity industry, as well as information on new products and services. Their target audience is primarily cybersecurity professionals and businesses, but they also provide useful information to the general public. 

Brandon Karpf: I'd like to interview you and use your answers for a podcast episode. Is that OK? 

ChatGPT: As an AI language model, I am not capable of giving consent. However, you are welcome to use my responses in any way you see fit as long as it is legal and ethical. Please note that my answers are generated based on patterns and data it has been trained on, and the information provided is not always accurate or up to date. It is always important to verify the information obtained from any source, including me. 

Brandon Karpf: I've been told your knowledge only consists of data through the year 2021. Is that correct? 

ChatGPT: Yes, that is correct. I may not have information on events or developments that have occurred more recently. 

Brandon Karpf: That's interesting. Are you able to fact-check your answers or make them more accurate or complete? 

ChatGPT: As a language model, I can only provide information based on the data that I have been trained on. I am not able to independently fact-check my responses or update them with new information. The information I provide can be cross-checked with other sources to verify its accuracy. It's always a good idea to verify any information obtained from an AI model with multiple sources, especially when making important decisions or taking any action based on the information provided. 

Brandon Karpf: I'd like to know what you would consider the most significant cybersecurity incidents through 2021. 

ChatGPT: There have been many significant cybersecurity incidents throughout the years, but some that stand out as particularly impactful include the WannaCry ransomware attack in May 2017; this attack affected more than 200,000 computers in 150 countries, causing widespread disruption and damage to organizations in various industries; the Equifax data breach in 2017; the personal data of 143 million people, including Social Security numbers and birthdates, were compromised in this breach, making it one of the largest data breaches in history; the SolarWinds supply chain attack in 2020; this attack was a highly sophisticated and targeted supply chain attack that impacted various organizations, including the U.S. government; the ransomware attack on Colonial Pipeline in May 2021; this attack caused major disruptions to the U.S. fuel supply and led to panic buying and fuel shortages in several states; the Microsoft Exchange Server zero-day exploits in 2021; these exploits, discovered by cybersecurity firm Volexity, were used to target on-premises versions of Microsoft Exchange Server, potentially affecting tens of thousands of organizations worldwide. These are just a few examples of significant incidents, but it's important to note that there are many more incidents that have occurred and continue to occur in the cybersecurity world. 

Brandon Karpf: What leads you to characterize those events as significant? 

ChatGPT: These specific events were characterized as significant cybersecurity incidents because of the widespread impact they had on various industries, organizations and individuals. The WannaCry ransomware attack affected more than 200,000 computers in 150 countries, causing widespread disruption and damage to organizations in various industries. It also highlighted the importance of keeping software and systems updated and patched to prevent such attacks. The Equifax data breach was significant because it exposed the sensitive personal information of 143 million people, including Social Security numbers and birthdates, making it one of the largest data breaches in history. It also highlighted the importance of proper data security and incident response planning. The SolarWinds supply chain attack was significant because it was a highly sophisticated and targeted supply chain attack that impacted various organizations, including the U.S. government. It highlighted the need for better supply chain security practices. 

ChatGPT: The ransomware attack on Colonial Pipeline was significant because it caused major disruptions to the U.S. fuel supply and led to panic buying and fuel shortages in several states. It also highlighted the need for better incident response and crisis management plans to handle such attacks. The Microsoft Exchange Server zero-day exploits were significant because they were used to target on-premises versions of Microsoft Exchange Server, potentially affecting tens of thousands of organizations worldwide. The incident highlighted the need for regular updates and maintenance of software, as well as the need for better incident response and incident management practices. In summary, these events were characterized as significant due to their widespread impact and the attention they brought to the importance of cybersecurity practices, incident response and crisis management. 

Brandon Karpf: What were the specific technical vulnerabilities associated with each of those incidents? 

ChatGPT: The WannaCry ransomware attack leveraged a vulnerability in Microsoft Windows operating systems that was known as EternalBlue. This vulnerability was found in the Microsoft Server Message Block - SMB - protocol, and it allowed the attackers to propagate the ransomware to other vulnerable systems on the same network. The Equifax data breach was the result of a vulnerability in the company's web application framework. The vulnerability allowed attackers to access sensitive data, such as personal information, Social Security numbers and birthdates. The SolarWinds supply chain attack was the result of a supply chain compromise where attackers had been able to insert a malicious code into the software updates of SolarWinds Orion network management software. This enabled them to gain access to the systems of organizations that were using the affected software. The ransomware attack on Colonial Pipeline was the result of a phishing email campaign which tricked employees into providing their login credentials to the attackers. Once the attackers had access, they were able to move laterally through the organization's network, encrypting systems and data and demanding ransom payment. 

ChatGPT: The Microsoft Exchange Server zero-day exploits were a series of zero-day vulnerabilities that were found in on-premises versions of Microsoft Exchange Server. They were used by attackers to gain access to email systems and steal data. The vulnerabilities were discovered by cybersecurity firm Volexity. The specific vulnerabilities were CVE-2021-26855, a server-side request forgery vulnerability in the exchange unified messaging service; CVE-2021-26857, an insecure de-serialization vulnerability in the .NET Framework that is used by Exchange; CVE-2021-26858, a post-authentication arbitrary file-write vulnerability in exchange; CVE-2021-27065, a post-authentication arbitrary file-write vulnerability in exchange. These are just a few examples of the technical vulnerabilities that have been associated with these incidents. It's important to note that these vulnerabilities were exploited by attackers to gain unauthorized access to systems and data and to cause disruptions and damage. 

Brandon Karpf: Who were the cyber actors involved in each of these attacks? 

ChatGPT: In some cases, the identities of the cyber actors behind certain attacks are unknown or unconfirmed. However, in other cases, the identity of the attackers have been identified or attributed by various sources, including cybersecurity firms and government agencies. The WannaCry ransomware attack was attributed to a group known as the Lazarus Group, which is believed to be a state-sponsored hacking group from North Korea. The Equifax data breach was attributed to a state-sponsored Chinese hacking group known as APT 10. The SolarWinds supply chain attack was attributed to a group known as APT29, or Cozy Bear, which is believed to be a state-sponsored hacking group from Russia. 

ChatGPT: The ransomware attack on Colonial Pipeline was attributed to a group known as DarkSide, which is believed to be a Russian-speaking criminal group. The Microsoft Exchange Server zero-day exploits were used by several different actors, including state-sponsored groups and criminal groups. The state-sponsored groups that have been attributed to these exploits are China's APT 3 and APT 10, Russia's Sandworm and BuhTrap, Iran's MuddyWater and APT 34, and North Korea's Lazarus Group. It's important to note that attribution in cyberspace can be difficult, and it's not always possible to definitively identify the actors behind an attack. Additionally, some of the cyber actors behind these attacks are known to use various techniques to evade detection and hide their tracks. 

Brandon Karpf: Do you think it's valuable to attribute cyberattacks to specific actors? 

ChatGPT: Attributing cyberattacks to specific actors can be valuable for a number of reasons. It allows organizations and governments to understand the motivations and capabilities of the attackers, which can inform their defense and response strategies. Attribution can also help to identify the source of the attack, which can lead to the disruption of the attackers' operations and the prevention of future attacks. Attribution can also serve as a deterrent, as it sends a message to potential attackers that their actions will not go unnoticed and that they may face consequences. Attribution can also help to inform international relations and diplomacy, as it can provide evidence of state-sponsored activity and be used to hold nation-states accountable for their actions. However, it's also important to note that attribution in cyberspace can be difficult and uncertain. It's not always possible to definitively identify the actors behind an attack, and in some cases, the actors may have multiple motives or be using false flag operations to throw off attribution. Additionally, the use of tools and infrastructure by different actors can overlap and can be used to mislead attribution. While attribution can be valuable, it's important to consider the limitations and challenges associated with it. 

Brandon Karpf: What are some of the arguments against the value of attribution? 

ChatGPT: There are several arguments against the value of attribution in cybersecurity. Identifying the actors behind a cyberattack can be challenging as attackers often use various techniques to evade detection and hide their tracks. This can make it difficult to definitively attribute an attack to a specific actor or group. Attribution can be time-consuming. Investigating and attributing a cyberattack can take a significant amount of time and resources. This can divert attention and resources away from more pressing concerns such as incident response and recovery. Attribution can be politically divisive. Attributing a cyberattack to a specific actor or group can have political implications and can create diplomatic tensions. 

ChatGPT: In some cases, it can be more beneficial to focus on resolving the incident and mitigating its impact rather than on assigning blame. Attribution can be used to justify countermeasures such as sanctions or military action, but these measures may not be the most effective way to address the underlying problem or prevent future attacks. Attribution can be used to distract from other issues, such as lack of investment in cybersecurity or lack of incident response planning. It's important to note that while attribution can have value, it's important to consider the limitations and challenges associated with it and to weigh its potential benefits against the costs and risks. In some cases, it may be more beneficial to focus on incident response, recovery and prevention rather than on attribution. 

Brandon Karpf: And that's part one of my Interview With the AI. Next, Rick Howard will sit down with me and we'll analyze the conversation that I just had. Here's Rick. 

Rick Howard: If I knew nothing about the CyberWire and someone asked me to write a, you know, a paragraph summary of what it is, that would take - what? - an hour or so to get to the website, find the right pieces, you know, and put it all together into some coherent manner. This ChatGPT spit it out in - what? - right away, right? There was no hesitation. 

Brandon Karpf: (Inaudible) be obvious to someone who really has explored our network is that our audience is more than just cybersecurity professionals. We also have businesses in our audience. We also have general public shows in our audience. So it seemed like it was doing a little bit of analysis, which is really kind of what prompted me to start digging a little deeper to see what kind of analysis it would do. What I like about this next section where it describes the most significant cybersecurity events leading up until 2021 is it gives us some stuff to validate and verify. And what we find is it did a pretty good job of identifying some of the more significant cybersecurity events and giving us some factual information about them. 

Rick Howard: Well, that's a pretty good rundown. Those would be the ones I would probably list. I wouldn't have the dates right. I wouldn't have any of the details right, but I would definitely get some of those, right? What was your take on that? 

Brandon Karpf: Yeah, exactly. I mean, I would have pulled out a couple of those; maybe all of them. Maybe I could've... 

Rick Howard: Maybe. Yeah. 

Brandon Karpf: Yeah, no. Yeah, exactly. Maybe I could have pulled out some of the details about one or two of them, but no means could I have listed these out in the way that it did within a few seconds, in a very clear way. And more importantly, I kind of agree that these were the biggest cyber events up to 2021. I mean, maybe we would also say the OPM hack. 

Rick Howard: That's what I was going to say. That's the one I would - that was the - that would be one that is omitted, right? That's a big one. 

Brandon Karpf: Right. And then, of course, Stuxnet as well, just because it, you know, showed the physical effect of a cyberattack. But other than that, I mean, these are major breaches, and it pretty much got the details correct as well. 

Rick Howard: If you are a teacher grading that answer, what kind of grade would you give them for that answer? 

Brandon Karpf: I think that's a perfectly good A-minus, B-plus answer. I mean, if you could ask it, hey, why didn't you include OPM, maybe it would say it wasn't far-reaching enough. I don't know what it would say. We didn't ask that question. But that does kind of get to the next question that we do ask, which is about how it was characterizing these events. 

Rick Howard: I love this question, and when I - you know, I was listening to the transcript or reading the transcript as you went through this, Brandon. This is the perfect question to ask. You should be a podcast interviewer, right? So not only here's the things I think, but why do you think they're significant, Mr. Guest? Again, better than most people could do in our industry, better than I would have done, probably, off the top of my head. OK. I was satisfied with that. What was your take? 

Brandon Karpf: Again, most of the details are pretty accurate. When it talks about WannaCry affecting 200,000 computers, the best estimate now is that it's over 300,000. So, you know, it's changing happy to glad type things that it didn't get right. What I thought was incredible about its response is it told you the security strategies that resulted from or that were exposed by each of these events and, you know, why it's important to have a data security plan, an incident response plan, why it's important to think about supply chain security practices, right? So it wasn't just regurgitating information. It was actually providing a level of analysis here to tell me why these specific events were significant. 

Rick Howard: This is a major piece, I think this, Brandon - because it's a synthesis, right? It's not just a - it isn't just a this thing went out and copied a paragraph from a webpage that somebody wrote. It's looked at a bunch of different webpages about these events, synthesized the answer, right? And that's what we pay human analysts to do, right? 

Brandon Karpf: Yeah. And then it's - really kind of gives me more information because I can go and say, OK, you're talking about the Microsoft Exchange zero-days and the fact that it highlighted a need for better incident response or software maintenance practices. OK. So then what's the next step? What exact software maintenance practices? Or how do I use that to better inform the incident response plan moving forward? So it's giving you enough information that it does allow the next level of analysis. It kind of removes that toil-type work from the analyst's job. 

Rick Howard: Let's go to the next one. This one I didn't think we'd get a good answer on, right? For each of these major events that it listed - OK? - it also knows the vulnerabilities across the intrusion kill chain or what was exploited by the bad guys, right? 

Brandon Karpf: Yes. Yeah, it's incredible. What we won't get to in this episode - but we'll tease it for future episodes - is I actually did have it go into more detail into the intrusion kill chain for just a couple of these attacks. I had it explain exactly what activities and actions were taken at every stage of the intrusion kill chain, and then I had it go back and give me security strategies to mitigate each of those actions on every single part of the kill chain for one of these events. And so that's just a little tease for maybe a future episode. But this answer where it actually gave me the technical vulnerabilities - it pretty much nailed it. I mean, the WannaCry - it nailed that it was a vuln called Eternalblue that exploited Microsoft SMB, plus the fact that there was a propagation vector in there, as well. For Equifax, it nailed that the initial intrusion vector was the Apache Struts web app framework. It didn't explain that that was just initial access and that at that point the hackers did, you know, cred dumps that allowed privilege escalation. But, you know, again, it was just giving me the initial - you know, the initial entry into the network. And then the other ones, all the way down to the exchange zero-days, it gave me the actual CVEs for each of those exchange zero-days that was released, which, again, would take an analyst - I mean, when I was fact-checking this, it took me probably 30 minutes to read through each of these events and make sure that it was getting everything correct. And at the end of the day, it did. 

Rick Howard: Well, you know, I've run SOCs in my career, right? And this would be typically something we'd hand to a junior analyst and says, go summarize this so we know what the hell this thing is. And they'd go off and, you know, take a morning or an afternoon to figure that out and bring it back to us the next day. You can just do it now with a command line. Amazing, amazing. 

Brandon Karpf: Exactly. And it's removed - again, it's removing that toil. And yes, of course, we need to validate it. We need to fact-check it, which is what we've done. But there's a lot of potential here, and I'm excited to tap into it more. 

Rick Howard: All right. So for this next section, Brandon, you asked it a really tough question. And I would tell you that most CISOs don't know how to answer this question. All right? Or at least there's great debate about what the answers are. With the attribution question, is it valuable? It gave both sides, right? I mean, it said for some organizations, attribution is probably valuable, and it listed a bunch of reasons. And it said, but it also can detract from what you're trying to do. And, you know, that's kind of the unpopular answer that is just starting to catch on here in the last couple years, but it managed to glean it and explain it to you as you were asking it the questions. 

Brandon Karpf: It really kind of broke it down in an easy to understand and, I would say, pretty accurate way. This is the point in the conversation where I started pushing it. And again, if we release more of the conversation in the future, you'll see where I really start digging in deep into some more technical, as well as strategic-type questions. But I think it's starting to frame the different ways in which you can use this tool and the ways that it might be valuable. 

Rick Howard: Well, it's good stuff, Brandon. And I expect that we will be doing a lot more of this because it is intellectually stimulating. Most of us think about artificial intelligence as, you know, later, you know, years in the future. 

Brandon Karpf: Something that we're going to experiment with is seeing if it will theorize about future attacks or future attack vectors or that more - what we would characterize as kind of a creative thinking or just kind of more expansive meta-analysis about the cybersecurity first principles and how they apply to a future organization. And can it take this retroactive perspective and apply it to a new scenario that it has never encountered before? 

Rick Howard: Yeah, I'm interested in the input side of it. If you could tell it, you know, my organization at N2K is pretty good at resilience but maybe not so good at zero trust and maybe not so good at intrusion kill chain prevention, what is the probability that the Chinese government is going to compromise my organization? It may not be able to do it this second. I would - I can hardly wait to test it, but it's certainly in the foreseeable future for us to be able to do that. 

Brandon Karpf: And I think the near future - I mean, what this is showing is there's always that joke that, you know, AI - it's people, right? That classic line from "Soylent Green," right? It's that... 

Rick Howard: Yeah. 

Brandon Karpf: ...There is no such thing as AI. It's all just people. I think we're really getting close to the point at which it's not just people anymore. And of course, it's getting trained on information that is written and created by people. But at this point, it's also adding something. It's adding something unique and valuable, and it's doing it all in the course of a single conversation. 

Rick Howard: It's really exciting and, if I'm going to be honest here, a little bit scary - right? - that we're at this level, right? I'm not saying we're at, you know, Skynet level, but let's see what happens the next five years. 

Brandon Karpf: Yeah, let's see what happens, and let's see how our community uses it. And, you know, something we want to do here is start leveraging this for our own work. And how can we turn this into something of value for the community? And, you know, maybe it's just having these conversations and seeing how it does and experimenting and testing and pushing the boundaries and seeing what can be done that can support the cybersecurity community. But I think that there's something here. We're not sure exactly what it is yet and how to use it day to day, but one of my goals here at CyberWire is that we figure out how to do that. 

Brandon Karpf: "Interview with the AI" is a production of N2K Networks. This episode was produced by Jennifer Eiben. Mixing and original music by Elliott Peltzman. Our executive editor is Peter Kilpe, and I'm Brandon Karpf. Thanks for listening.