image of breaking badness
Breaking Badness
Breaking Badness

161. The Early Bird Gets the WormGPT

Coming up this week on Breaking Badness: A Can of WormGPTs, The Plan To Plan, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

 A Can of WormGPTs

  • The generative AI tool cybercriminals could use for Business Email Compromise (BEC) attacks
  • Just a real quick rehashing of what BEC is for those who don’t know
    • It’s a type of cybercrime where the bad actor poses as a trusted figure (likely someone within your organization) and tricks the victim into sending money or revealing proprietary company information 
  • One of the ways individuals have been able to spot an email scam has been through the level of English displayed within the text
    • Cybercriminals sending messages with a limited amount of English (or any native language of the target) can usually spot the mistakes to denote a scammer
    • However, using generative AI, the gap is closing and criminals who aren’t fluent in the tongue of the sender can greatly improve their messaging to the point where it’s hard to tell if the scammer came from elsewhere
  • Jailbreaks
    • There are ethical standards in place within ChatGPT that would prevent users from seeking answers to more unsavory topics
    • However, “jailbreaks” allow cybercriminals to bypass those standards to find answers to more sensitive topics, product inappropriate content, or execute harmful code
    • This leads to custom modules of ChatGPT for nefarious purposes: enter WormGPT
    • The team at SlashNext gained access to WormGPT and conducted tests with a focus on BEC attacks
      • They found the results to be “unsettling” 
      • The work produced was strategic and persuasive 
      • They also found that it’s troubling because this means bad actors with a more limited skillset could have a lower entry threshold to begin executing these kinds of attacks
  • To note, while there are likely BEC attacks in the wild, we are unaware of them at this point
    • We discussed how it might be difficult to even spot a BEC attack that used generative AI unless the bad actors admit it was part of the strategy 
  • How to mitigate
    • Organizations should develop updated training regarding BEC attacks and educated on how AI might augment those attacks 
    • Companies can enact enhanced email verification measures to flag for messages like ‘wire transfer’ or ‘sensitive’

The Plan To Plan

  • The Biden Administration’s 57-page National Cybersecurity Strategy Implementation Plan describes more than 65 initiatives that various federal agencies will implement during the next several years.
  • We discussed this plan a few episodes back – episode 153 to be exact, if you’d like to listen to that episode first
  • In that episode, we discussed the plan, which laid out what the goals were. In this update and this episode, it’s about the tactics that it will take to accomplish these goals
  • What of the potential blocks to carrying these plans through is bi-partisan support, which could impact funding
  • While bi-partisan support might be challenging to come by, those within the cybersecurity community is that the plan is directionally good and that it’s more specific than we’ve had before, at the national level, but there is a lot standing between us and a real implementation
  • The plan involves five pillars, but the third (Shape Market Forces to Drive Security and Resilience) is considered the most consequential to security experts
  • It’s adding some carrot on the other side of the regulatory stick, although the carrot in this case isn’t coming directly from the government in that they’re not just handing out dollars for anyone who can demonstrate that their stuff is secure
  • The reality is that in our system, market forces are the dominant forces, for better or worse
  • One sentence that stood out to me was toward the end of the article where it’s thought that if incident response is at the federal level, it may give ransomware operators pause when hitting hospitals
  • To security teams, that brings skepticism that the level of government will deter bad actors, but we shall see
  • Is it possible to see those in the private sector brought to national-level responders in significant events?
  • This is currently being done in a sense – Mandiant is very much on record helping

This Week’s Hoodie/Goodie Scale

A Can of WormGPTs

[Taylor]: 6.5/10 Hoodies
[Tim]: 7/10 Hoodies

The Plan To Plan

[Taylor]: 3.5/10 Goodies
[Tim]: 4/10 Goodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!