AI, RedSpy365® and the Future

I offered to write this blog article because I believed it would help me organize my own thoughts and insights on the ongoing artificial intelligence (AI) debate. With AI advancing at a rapid pace, the media often speculates about the future, portraying it either as a dystopian nightmare where humans are subjugated to machines or a utopian paradise where humans coexist comfortably with machines. Regardless of where you stand on this issue, there is no denying that AI has already become a reality.

As a child, I developed a keen interest in technology, which started with my Atari 800XL when I was about 10. I spent hours poring over magazines and entering code, which sparked my passion for technology. This interest continued throughout my military service in the Royal Navy and subsequent 20-year career in the civilian workforce, where I defended and attacked various systems as a penetration tester. More recently, I founded RedSpy365®, a continuous penetration testing service. Despite all these years working in the field, my love of technology has not waned, and I’m still as enthusiastic about it as I was almost four decades ago.

When I first heard the buzz surrounding ChatGPT, I initially dismissed it as mere hype the next shiny thing. However, upon closer examination, I was blown away by its advanced capabilities. It felt as though ChatGPT was like an F35 fighter jet landing on a World War One battlefield – light years ahead of its time. As I continued to explore its features and functions in the following weeks and months, I was amazed at how rapidly it evolved, making significant strides in its capabilities.

A few years back, I attended a machine learning course that reminded me of high school math algebra – very math-heavy. While I appreciate math and consider myself to be quite geeky – a term I take as a compliment – I couldn’t fully grasp the practical application of the concepts at the time. It just felt way too math-heavy then.

Fortunately, many more intelligent people did not get lost where I did and continued to push forward, leading to the development of incredible technology like ChatGPT. Although OpenAI and Microsoft are behind ChatGPT, we are now seeing multiple iterations of AI emerge. While I will refer to it as ChatGPT for the sake of this discussion, I am aware of many other variations.

I, like many others, clicked around and found the initial ChatGPT “fun” – almost like a virtual assistant where I could ask it to do things like create a poem from a phrase, or write some Microsoft’s PowerShell code but as I delved deeper, I started to understand the massive implications this could have.

As the founder of RedSpy365, I began to appreciate how artificial intelligence (AI) could revolutionize continuous penetration testing in every aspect. I was thrilled by the prospect of the technology coming to me instead of me having to seek it out. This reminded me of the famous adage, “You skate to where the puck is going to be,” meaning that it’s essential to anticipate the direction of progress and position yourself accordingly. I’ve either made good choices or been very lucky – I’ll take either one.

So here is a little bit about what I’ve learned so far

  • There seems to be some confusion about the private data and ChatGPT. Many people believe that ChatGPT’s data capabilities are limited to 2021 since it returns a message stating that its training data only goes up until then. However, this is not the case.It is possible to use cognitive search through Azure’s ChatGPT to index your own data, whether it’s a database or a sharepoint, and utilize ChatGPT to answer questions or interact with the AI on your own data. In other words, ChatGPT is not restricted to 2021 data and can be applied to private data sources beyond its own training data. Securely. You can also use tools such as langchain for private data.To me, being able to have ChatGPT look and interact with offensive data or compliance data will change that experience. You can ask questions like “do I have an Anti Virus Policy” – tie that together with SIG from Shared Assessments (as we do) and you can now ask the SIG questions against your own policies and procedures. – if the document is not there you can even ask ChatGPT to create one for you. Nice eh?
  • Applications can interact with ChatGPT like you would call a function in code. You can use third-party code such as langchain to connect applications to ChatGPT and call them like you would a function in a code. This means that ChatGPT can be linked and execute actions on tools. We are seeing more and more applications link into ChatGPT – Zapier for instance, now can interact with ChatGPT – so that means 5000+ applications just got added for ChatGPT to integrate in to.

To me, I could ask ChatGPT to build a bot scenario based upon the Tactics of APT 19 or even create a basic bot scenario to link into a tool. Eventually the aim is to ask ChatGPT to monitor our market place, looking for new tools, tactics and techniques added there and to compare that to what it knows about the clients risk – alerting the analyst to new scenarios that may be effective against the client. This is augmentation on another level.

  • Putting it together is the coding part. The idea is to create a front-end application that can call the AI, setting the stage for how it is to be used. This is where prompt engineering can set the tone for the interaction – you could set the application up to only answer cybersecurity-related questions. Prompt engineering is a highly-paid position right now – the skill set is hot.

The application can also be set to use a specific index (specific client data) or use a specific tool (often calling another API) to use in completing its task. There are many variables that can be altered to change the style, brevity, and type of model to use in answering or interacting with the data.

To me, I looked at this and instantly thought “Augmented Virtual Pentester”. It was always on my roadmap but the technology came to me and not the other way around – lucky. The thing is that RedSpy365 was always designed to absorb new technology, to adapt, and to be creative. Adding ChatGPT is a natural progression.

The good news is that the coding part shouldn’t be that tricky – at least to a coder! Gone are the days of the heavy math and it’s more about style and creativity. This is the future. The days of relying upon a specific skillset or tradecraft i.e. ”you are what you know” are waning – the days of creativity and thinking literally “outside of the box” are here. Even if the box is a chat prompt.

What the future holds is up for debate. We see many asking for legislation, to slow down, and pump the breaks. While others say to let the free market decide. I personally think it’s a bit of both. I asked ChatGPT if it was a threat to the human race. It said it was not. However, it did state “technology, is ultimately determined by the intentions and actions of the humans who develop and use it.”

That has me worried. A bit.