Why generative AI is a double-edged sword for the cybersecurity sector

A lot has been made from the potential for generative AI and giant language fashions (LLMs) to upend the safety trade. On the one hand, the optimistic affect is tough to disregard. These new instruments might be able to assist write and scan code, complement understaffed groups, analyze threats in actual time, and carry out a variety of different capabilities to assist make safety groups extra correct, environment friendly and productive. In time, these instruments can also be capable to take over the mundane and repetitive duties that right this moment’s safety analysts dread, releasing them up for the extra partaking and impactful work that calls for human consideration and decision-making. 

However, generative AI and LLMs are nonetheless of their relative infancy — which implies organizations are nonetheless grappling with the way to use them responsibly. On high of that, safety professionals aren’t the one ones who acknowledge the potential of generative AI. What’s good for safety professionals is usually good for attackers as nicely, and right this moment’s adversaries are exploring methods to make use of generative AI for their very own nefarious functions. What occurs when one thing we expect helps us begins hurting us? Will we ultimately attain a tipping level the place the know-how’s potential as a menace eclipses its potential as a useful resource?

Understanding the capabilities of generative AI and the way to use it responsibly will likely be important because the know-how grows each extra superior and extra commonplace. 

Utilizing generative AI and LLMs 

It’s no overstatement to say that generative AI fashions like ChatGPT might basically change the way in which we method programming and coding. True, they don’t seem to be able to creating code fully from scratch (not less than not but). However when you have an thought for an software or program, there’s a very good probability gen AI might help you execute it. It’s useful to think about such code as a primary draft. It might not be good, nevertheless it’s a helpful place to begin. And it’s rather a lot simpler (to not point out sooner) to edit current code than to generate it from scratch. Handing these base-level duties off to a succesful AI means engineers and builders are free to have interaction in duties extra befitting of their expertise and experience. 

That being mentioned, gen AI and LLMs create output based mostly on current content material, whether or not that comes from the open web or the precise datasets that they’ve been educated on. Which means they’re good at iterating on what got here earlier than, which is usually a boon for attackers. For instance, in the identical approach that AI can create iterations of content material utilizing the identical set of phrases, it may well create malicious code that’s just like one thing that already exists, however completely different sufficient to evade detection. With this know-how, dangerous actors will generate distinctive payloads or assaults designed to evade safety defenses which are constructed round identified assault signatures.

A method attackers are already doing that is by utilizing AI to develop webshell variants, malicious code used to take care of persistence on compromised servers. Attackers can enter the present webshell right into a generative AI device and ask it to create iterations of the malicious code. These variants can then be used, usually at the side of a distant code execution vulnerability (RCE), on a compromised server to evade detection. 

LLMs and AI give technique to extra zero-day vulnerabilities and complicated exploits 

Properly-financed attackers are additionally good at studying and scanning supply code to determine exploits, however this course of is time-intensive and requires a excessive stage of ability. LLMs and generative AI instruments might help such attackers, and even these much less expert, uncover and perform refined exploits by analyzing the supply code of generally used open-source tasks or by reverse engineering business off-the-shelf software program.  

Usually, attackers have instruments or plugins written to automate this course of. They’re additionally extra probably to make use of open-source LLMs, as these don’t have the identical safety mechanisms in place to stop this kind of malicious conduct and are sometimes free to make use of. The consequence will likely be an explosion within the variety of zero-day hacks and different harmful exploits, just like the MOVEit and Log4Shell vulnerabilities that enabled attackers to exfiltrate knowledge from susceptible organizations. 

Sadly, the typical group already has tens and even tons of of 1000’s of unresolved vulnerabilities lurking of their code bases. As programmers introduce AI-generated code with out scanning it for vulnerabilities, we’ll see this quantity rise as a result of poor coding practices. Naturally, nation-state attackers and different superior teams will likely be able to take benefit, and generative AI instruments will make it simpler for them to take action.  

Cautiously shifting ahead 

There aren’t any simple options to this downside, however there are steps organizations can take to make sure they’re utilizing these new instruments in a protected and accountable approach. A method to do this is to do precisely what attackers are doing: Through the use of AI instruments to scan for potential vulnerabilities of their code bases, organizations can determine doubtlessly exploitative features of their code and remediate them earlier than attackers can strike. That is significantly vital for organizations trying to make use of gen AI instruments and LLMs to help in code technology. If an AI pulls in open-source code from an current repository, it’s important to confirm that it isn’t bringing identified safety vulnerabilities with it. 

The issues right this moment’s safety professionals have concerning the use and proliferation of generative AI and LLMs are very actual — a truth underscored by a gaggle of tech leaders lately urging an “AI pause” as a result of perceived societal danger. And whereas these instruments have the potential to make engineers and builders considerably extra productive, it’s important that right this moment’s organizations method their use in a fastidiously thought of method, implementing the required safeguards earlier than letting AI off its metaphorical leash. 

Peter Klimek is the director of know-how inside the Workplace of the CTO at Imperva.