No-Hype Use of LLMs in Cybersecurity

Three use cases of Large Language Models (LLMs) to save time and immediately enhance productivity

While there is tremendous hype around LLMs, many people in Cybersecurity are still struggling to put news tools like ChatGPT and Google Bard to practice. This is a brief article to discuss use cases that will save time and quickly enhance your productivity in carrying out common tasks.

  1. Create Bash Scripts to automate Cyber Security tasks
  2. Super fast SIEM use cases development
  3. Assistance in Security Awareness Program

Use Case 1: Automate Cybersecurity Tasks with bash Scripts

Many Cybersecurity professionals need automating simple tasks using scripts that would otherwise take a large amount of time and work. ChatGPT can create bash shell scripts quickly that you can adapt to your needs. Let us assume your policy requires disabling username/password authentication to SSH and allows only key based authentication. The following example shows how ChatGPT creates a script to accomplish it on a large number of servers. Carefully take a look at the prompt and response

User Prompt

“create a bash shell script that to check if SSH login using username and password is enabled on a large number of Linux servers. Assume key based login is enabled on these servers for a user with username “super_secret_admin”. The list of server IP addresses is stored in a file servers.txt, one IP address per line.”

ChatGPT Response

“To check if SSH login using a username and password is enabled on a list of Linux servers where key-based login is enabled for the user “super_secret_admin,” you can use a Bash script that reads the list of server IP addresses from a file and remotely checks the SSH server configuration for the “super_secret_admin” user. Here’s a sample script for this task:

#!/bin/bash

# Specify the path to the file containing server IP addresses

server_list_file="servers.txt"

# Specify the SSH username (super_secret_admin user)

ssh_user="super_secret_admin"

# Function to check if SSH password authentication is enabled for the super_secret_admin user

check_ssh_password_auth() {

    server_ip="$1"

    ssh_config_file="/etc/ssh/sshd_config"

    # Use SSH to remotely fetch the SSH server configuration

    ssh_config=$(ssh -o BatchMode=yes -o ConnectTimeout=5 "$ssh_user@$server_ip" "cat $ssh_config_file")

    # Check if PasswordAuthentication is set to yes in the sshd_config

    if [[ "$ssh_config" =~ "PasswordAuthentication yes" ]]; then

        echo "SSH password authentication is enabled for $ssh_user on $server_ip."

    else

        echo "SSH password authentication is not enabled for $ssh_user on $server_ip."

    fi

}

# Main script

if [ -f "$server_list_file" ]; then

    while read -r server_ip; do

        echo "Checking SSH configuration on $server_ip..."

        check_ssh_password_auth "$server_ip"

    done < "$server_list_file"

else

    echo "Server list file not found."

fi

Replace “super_secret_admin” with the appropriate SSH username you want to check for password authentication.

Ensure that the SSH key of the machine running this script has access to the servers you are checking. The script reads server IP addresses from the servers.txt file, one per line, and then connects to each server to check the sshd_config file for the presence of “PasswordAuthentication yes” for the “super_secret_admin” user to determine if password authentication is enabled.

You can run this script with the command bash script.sh. It will check each server listed in the servers.txt file.

Make sure you have the necessary permissions and approvals to perform remote checks on these servers.

Here is a partial screenshot of this prompt and response.

Note that you can fine tune the prompt if the result does not meet your needs. Also note that you still need knowledge of Bash scripting to make sure the generated script meets your needs and that you are able to make manual fine tuning to the script, if needed. ChatGPT is your assistant, not your replacement!

Use Case 2: Super Fast SIEM Use Case Development

LLM tools are also very useful to quickly fine tune SIEM rules and enhance detection capabilities in Security Operations Centers (SOC). The following simple example shows how quickly ChatGPT created Splunk code for detecting directory traversal attacks. 

The next screenshot shows Google Bard response to the same prompt with a different answer.

Use of these tools can greatly enhance speed of SIEM tuning and detection capability. The work that usually needs days can be accomplished in hours.

Use Case 3: Assistance in Security Awareness Program

Writing good communication is an art and many of us in the Cybersecurity field are not very skillful in written communication. Fortunately now we have ChatGPT to come to our assistance. Please see the following prompt and response in crafting a communication to your specific audience.

User Prompt

“Craft a brief email for executive management team members highlighting importance of security awareness month and actions that the board should take during this month.”

ChatGPT Response

“Subject: Security Awareness Month: Enhancing Our Organization’s Resilience

Dear Members of the Executive Management Team,

I trust this message finds you well. As we usher in Security Awareness Month, I want to underscore the critical importance of this initiative and outline the actions that our Board of Directors should consider to reinforce our commitment to cybersecurity.

Security Awareness Month serves as a yearly reminder of the dynamic and ever-evolving nature of security risks within our industry. It is a timely opportunity to focus our efforts on strengthening our organization’s security posture. To this end, I recommend the following actions for our Board’s consideration during this month:

1. **Increased Employee Vigilance**: Encourage all staff to maintain a heightened level of awareness when it comes to security threats. The mantra “See something, say something” should be reinforced throughout our organization.

2. **Education and Training**: Support and participate in security awareness training sessions for our employees. Highlight the importance of robust password management, data protection, and secure online practices.

3. **Policy and Procedure Review**: Conduct a thorough examination of our existing security policies and procedures. Identify areas where revisions or improvements are needed to address emerging threats.

4. **Incident Response Simulation**: Consider organizing a tabletop exercise to test our incident response plan. Ensure that all Board members and key staff are well-prepared in the event of a security incident.

5. **Expert Insights**: Explore the possibility of inviting external security experts to provide insights on emerging threats and best practices in security. Their perspective can be invaluable in fortifying our defenses.

6. **Stakeholder Communication**: Maintain transparent communication with our stakeholders, including customers and partners, regarding our dedication to security and the measures we are implementing to safeguard their data.

7. **Resource Allocation**: Evaluate and approve the allocation of necessary resources for our security initiatives. Invest in technologies and training programs that enhance our ability to mitigate threats effectively.

8. **Regular Updates**: Ensure that our Board members are well-informed about the progress of our security initiatives and receive regular reports on security-related incidents and trends.

By collectively embracing these actions during Security Awareness Month, we will not only strengthen our resilience against potential security threats but also reinforce our unwavering commitment to the security of our organization and the trust of our stakeholders.

Your support and involvement in these efforts are invaluable. Thank you for your commitment to the security and success of our organization.

Best regards,

[Your Name]

[Your Title]

[Your Contact Information]

Let us say this text is too long for your purpose. A follow-up prompt, as shown below, makes it much shorter. 

Using LLM tools as your assistance in a security awareness program is a great help.

Check Your Corporate Policy for LLM Use

Before using LLM tools, check your corporate policy. The tool may store your prompts and use them to enhance capabilities of the model. If you put any sensitive information in the prompt, it may result in unintentional data leakage. Use these tools with caution and in accordance with your corporate policies.

Recent Posts

Subscribe to Blog

About Rafeeq Rehman

Consultant, Author, Researcher.
This entry was posted in InfoSec, Leadership, SOC and tagged , , , , , . Bookmark the permalink.

Comments are closed.