In recent years, cybersecurity has become an increasingly important issue as the internet has become a central part of our lives. Hackers and cybercriminals are constantly finding new ways to breach security measures, and it has become more important than ever to have effective cybersecurity measures in place to protect against these threats. In this context. Consequently, security professionals have to work harder than ever.
Due to the abnormal popularity of ChatGPT, I wanted to write a small article about how it can be used in cyber security and whether it can replace humans in this field. This is due to the fact that representatives of several professions, especially programmers, are afraid of the fact that AI may replace them.
If the article was not only a theoretical part, I would like to see how ChatGPT is able to solve our daily routine based on practical examples.
Okay, let’s start!!!
My day-to-day routine as a SOC analyst involves monitoring various security tools, investigating incidents arising from them, analyzing and responding accordingly. Therefore, I would like to ask for the help of ChatGPT to analyze some of these incidents with me.
Our main tools in SOC for endpoint protection is EDR, I will take one of the incidents and let’s see what ChatGPT will tell us.
We have an alert in endpoint protection and response tool that someone opened PowerShell and executed the following command: “C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\LKgtmNLCTEp’).FKITK)));
what could this command may indicate and is it looks like suspicious?
The command you provided appears to be a PowerShell command that runs a script encoded in Base64. Let’s break down the command to understand its functionality:
· C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe: This is the path to the PowerShell executable on a Windows system.
· -WindowStyle hidden: This option makes the PowerShell window hidden, meaning it will not be visible to the user.
· -NoLogo: This option prevents the PowerShell logo from being displayed in the console.
· -NonInteractive: This option runs PowerShell in non-interactive mode, which means it will not prompt for user input.
· -ep bypass: This option bypasses the execution policy, allowing the execution of scripts.
· -nop: This option stands for “no profile” and prevents the loading of the user’s PowerShell profile scripts.
· iex: This is a built-in alias for the Invoke-Expression cmdlet, which allows executing a string as a PowerShell command.
· ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp ‘HKCU:\Software\Classes\LKgtmNLCTEp’).FKITK))): This part of the command retrieves a value from the Windows registry (HKCU:\Software\Classes\LKgtmNLCTEp), decodes it from Base64, and executes it as a PowerShell command.
Without knowing the content of the registry value, it’s difficult to determine the exact purpose of this command. However, it is worth noting that such obfuscated and encoded commands are often associated with malicious activity and can potentially be used to perform unauthorized or harmful actions on a system.
We can say that ChatGPT is quite capable of analyzing complex commands and giving you very useful information. Of course, this is very helpful for analytics not waste amount of time and we can use ChatGPT. But there have been cases in my practice when it was also wrong during the analyzing of the command by ChatGPT, so cybersecurity specialists should at least look carefully so as not to make any serious mistakes during the output of ChatGPT.
Without wasting more time on this incident, let’s move on to the next one. This time I want to analyze the incident generated in Siem.
In this case, I’m going to analyze alert, which I specially generated in Siem for testing purpose.
I have created alert in siem, that if someone opens link which ends with “bin.sh”, siem must detect and generated alert. in this case we got an alert that someone clicked on link “http://220.127.116.11:54974/bin.sh” . based on thish link, can I suppose that this is suspicious link ?
based on the link you provided, “http://18.104.22.168:54974/bin.sh,” it is reasonable to consider this as a suspicious link. Here are some reasons:
· Unusual URL: The URL ends with “/bin.sh,” which suggests that it points to a shell script file. Shell scripts can be used for various purposes, including executing commands on a system. In the context of web browsing, it is uncommon to encounter URLs ending with “.sh” unless the intention is to download and run a shell script.
· Non-standard port: The URL includes the port number “54974,” which is not a commonly used port for web browsing. Using non-standard ports can be an attempt to bypass standard network monitoring or firewall rules, making it potentially suspicious.
· Lack of HTTPS: The URL begins with “http” instead of “https.” This indicates that the connection to the website is not encrypted, potentially exposing any data transmitted between the client and the server to interception or modification.
· IP address: The link uses an IP address, “22.214.171.124,” instead of a domain name. While IP addresses can be legitimate, attackers often use IP addresses for hosting malicious content to avoid detection or takedown of a specific domain.
Considering these factors, the link you provided does raise suspicions. However, it is important to conduct further analysis and investigation to determine the true nature of the link and its associated risks. It is recommended to consult with your organization’s IT security team or a cybersecurity professional who can examine the link and assess the potential threat it poses to your systems and network.
Here we can say that it gives us very useful information but for full investigation as an AI, ChatGPT does not have access to such known databases where it would search and tells me which malware or even APT groups are using this particular link, as I was able to easily find out in one simple operation both manually and using for instance like “CORTEX”.
Now I want to test how ChatGPT will help me in vulnerability management case. Accordingly, I will take any of the already scanned weaknesses and tell ChatGPT to give me some useful information about what impact it will have, how to solve the mentioned problem and if possible give reference links.
I have scanned one server in my infrastructure and one of the critical weakness have as a result. this is weakness: “The service is providing / accepting the following deprecated versions of the SSH protocol which have known cryptographic flaws: 1.5”
can you give me reference what is impact of this weakness, what is solution and some reference links ?
The weakness you mentioned pertains to a server providing or accepting deprecated versions of the SSH (Secure Shell) protocol, specifically version 1.5. Here’s some information regarding the impact, solution, and relevant reference links:
Using deprecated versions of the SSH protocol, such as 1.5, can expose your server to various security vulnerabilities. The SSH protocol version 1.5 is considered outdated and has known cryptographic flaws, making it susceptible to attacks and exploitation by malicious actors. Attackers could potentially intercept, manipulate, or decrypt SSH communications, compromising the confidentiality, integrity, and authenticity of your server’s data and connections.
To address this weakness, it is recommended to discontinue the use of SSH protocol version 1.5 and enforce the use of more secure versions, such as SSH protocol version 2. SSH protocol version 2 has significant security improvements and is widely supported by modern SSH implementations.
To resolve the weakness, follow these steps:
- Update the SSH configuration on the affected server to disable support for SSH protocol version 1.5.
- Enable or enforce SSH protocol version 2.
- Ensure that all SSH clients and servers connecting to the affected server also support SSH protocol version 2.
- Test the configuration changes thoroughly to ensure proper functionality and compatibility before deploying them to a production environment.
Here are some reference links that provide more detailed information on the impact of deprecated SSH protocol versions and guidance for securing your SSH implementation:
- OpenSSH Security: The official website of OpenSSH, a widely used SSH implementation, provides security-related announcements, advisories, and updates.
- NIST Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations: This NIST publication outlines security controls for information systems, including guidelines for secure SSH configuration.
- Secure Secure Shell: This article by Colin Percival offers in-depth explanations and recommendations for securing SSH configurations, including the deprecation of SSH protocol version
Remember, it is important to apply security best practices and keep your SSH implementation up to date to protect your server and data from potential vulnerabilities and attacks.
It can be said that ChatGPT provided us comprehensive information on our question.
Based on my practice, I can conclude that ChatGPT can detect suspicious commands, analyze logs, stings, phishing emails, find information about vulnerabilities and etc. but I think that it is not able to fully respond on threats, it hasn’t access on different databases and it is not capable to integrate API’s yet. For instance, we still must manually analyze observables, like ip addresses, hashes, files, domains and etc.
Therefore, it is my opinion that despite the power of ChatGPT in cybersecurity, the human role in this field remains critical. While ChatGPT can help detect and prevent cyber attacks, it is humans who design and implement cybersecurity measures, and humans who must remain vigilant in identifying and responding to cyber threats.
ChatGPT has emerged as a powerful tool in the fight against cyber attacks, but the human role in cybersecurity remains crucial. By working together, humans and ChatGPT can help detect and prevent cyber attacks, protecting sensitive data and ensuring the security of our digital world. By staying vigilant and informed, we can continue to strengthen cybersecurity and protect against the evolving threat of cyber attacks.