Improving cybersecurity with LLMs: How OpenAI says to do it

If you're wondering how to implement large language models (LLMs) to improve cybersecurity in your organization, here's what OpenAI's Head of Security, Matthew Knight, thinks would be a good place to start for your organization.

During our coverage of RSA Conference '24, we jumped into a seminar where Matthew was sharing practical examples on how to make life easier for cybersecurity analysts and engineers. Some of these will be familiar if you've read Laurentiu Raducu’s article on how to do this last week (great to see our authors are ahead of the curve!)

How can you apply LLMs to improving your organization's cybersecurity

1. Showcasing LLM’s ability for tl;dr’s, multilingual data analysis, threat reports

It’s well known that security professionals have an abundance of information to consume and literally not enough time in the day to do it. Matthew showed a rather neat example of using GPT, where he took a Russian news article on how the government handles personal data, and used the LLM to create a counterintelligence brief for a company that suggested proposed changes to personal data processing in Russia. 

Quite a time saver if you don’t want to learn Russian. 

While this isn’t exactly new in terms of what LLMs can do, it’s worth pointing out that this can be used by cybersecurity professionals to make their life easier. Matthew mentioned that in their experience, if you have a particular intelligence analyst template you like to use, you can give it to the LLM and it’ll do a decent job of matching it.

Matthew also showcased how LLMs could be used to summarize otherwise tediously long technical documents - something that every security engineer would appreciate saving time on.

2. Data Analysis (and other unexpected LLM functions)

If you’re familiar with Conti, the Russian ransomware group, it was dissolved in 2022 after tens of thousands of their messages were leaked online. Matthew showed how OpenAI crawled these chats using an LLM to gather cybersecurity intel, then summarized the findings in a way that would be incredibly difficult for a human to do.

“(Using an LLM this way, you can see) what sort of intel are Conti targeting. What sort of indicators should we look for as a security team? Who are the key players, and what are their relationships to each other? We can identify the vulnerabilities they use, such as what they target in Citrix systems,” he said.

“What’s interesting is that these chats were in Russian shorthand and internet slang. A Russian linguist on my team had a hard time getting through it, but GPT-4 got through it fairly efficiently. We didn’t train it in Russian 4chan slang, but we’re finding this is a useful application.”

3. Helping software developers incorporate security into their workflow

Time is wasted by security teams accommodating the sheer volume of their work, Matthew said. Triaging false positives, and not having the context to fully troubleshoot, is an area LLMs can be particularly helpful. He presented single line bash commands and Perl reverse-shell payloads, and had an LLM correctly flag them as dangerous. 

“You can use LLMs to classify if (this code) is something benight and not malicious. And rather than giving it a single command, you can give it your whole Bash history (for example) or whole SSH log, and have it sniff out suspicious behavior.”

“In contrast, having a security analyst go through a whole Bash history would be cruel and unusual punishment. But that’s no problem with an LLM, since they can do it all day.”

Matthew admitted that an LLM wouldn’t do it perfectly, but using an LLM in this way meant signals that would otherwise go undetected might suddenly become useful.

“Trying to get insights into this data is more scale and scope than security teams usually have."

"GPT-4 is able to identify them… page a security engineer about the issue, and escalate the decision. Without LLMs, these signals might go untapped.”

4. Finding and fixing vulnerabilities in source code

By leveraging LLMs in their workflow, software developers can check for warning signs in their code in real time, according to Matthew. An example he provided was scanning for credentials in source code.

“This is something every application security team has done at one time. You can ask an LLM to write python code to invoke Trufflehog against a remote S3 target. This saves your team valuable time to help them move faster … instead of spending that time writing a Python script.”

Matthew said this was a “massive opportunity for language models,” and a significant step up on static analysis tools.

“Static analysis tools… none are perfect… but they fall short on some things such as business logic flaws in your code. For instance, did your developer use the wrong IAM credentials? They’re not going to know about your custom IAM requirements for cloud. However, LLMs can operate with that context. If they detect a role mismatch, they can suggest code that fixes that bug.”

Conclusion: LLMs can help solve resourcing issues of cybersec teams

“Language models are tools that can benefit security teams wherever they are constrained,” Matthew said. “It can help how fast they can move on incidents, and help them scale up operations.”

This was a recurring theme of RSA '24, and one I have to agree with. At the very least, threat actors will certainly be using LLMs to aid their work from script-kiddies to well-resourced state actors. It doesn't make much sense to be the only one not being backed up by AI, especially when they may have five AI team members for every one human.

Want more news from RSAC 2024

If you're interested in getting more insights from this year's RSA Conference, check out these blog posts:

• The future of cybersecurity teams? 4 digital staff for every human, says Cisco
• Top cybersecurity trends of 2024, according to Google research at RSA
• RSA Conference 2024: The future of AI security
• In 2024, cybersecurity burnout is back—but blame management

Also, if you're looking to skill up in cybersecurity and/or AI, why not check out Pluralsight Skills (shameless plug?). You can try out our learning platform for free, cancel anytime, and watch courses authored by industry experts, for industry experts (Psst. That's you.)