Full Report
Wiz recently talked with security expert Clint Gibler about the many uses of AI in the cybersecurity space.
Analysis Summary
# Main Topic
The application and utility of Artificial Intelligence (AI) and Large Language Models (LLMs) across various domains within cybersecurity, based on insights shared by security expert Clint Gibler during a discussion with Wiz.
## Key Points
- AI is viewed as a tool that can make cybersecurity practices faster, easier, and cheaper, but it is not a perfect, catch-all solution.
- Core LLM concepts discussed include *few-shot prompting*, *context window*, *Vector DB*, *Retrieval Augmented Generation (RAG)*, *Agent* execution, and giving models *Tools* (like Google search or API calls).
- The utility of AI lies in solving real problems, even if the output isn't perfect, as long as it saves significant time (e.g., editing is faster than writing from scratch).
- LLMs are currently being used by both defenders (analyzing code, spotting cloud misconfigurations) and attackers (creating sophisticated phishing content).
## Threat Actors
- Cybercriminals are finding ways to leverage generative AI for creating highly sophisticated phishing content.
- Specific threat actor groups were not attributed, but the general capability of AI-driven social engineering was highlighted.
## TTPs
- **Phishing/Social Engineering:** LLM agents are capable of scraping social media profiles to generate tailored, personalized phishing messages and engaging in successful negotiation/persuasion activities.
- **Web Application Attacks:** LLM-enhanced Burp Suite extensions are being used to analyze HTTP requests/responses to identify security flaws like Cross-Site Scripting (XSS) and misconfigured HTTP headers.
- **Cloud Privilege Escalation:** Tools like EscalateGPT use LLMs (e.g., GPT-4) to analyze complex combinations of IAM policies across multiple accounts to identify potential privilege escalation paths in AWS environments.
- **Development/Fuzzing:** LLMs can be tasked with analyzing existing fuzzing infrastructure gaps (lacking code coverage) and generating new fuzzing test harnesses and related code.
## Affected Systems
- **Web Applications:** Systems subject to standard web security testing, potentially affecting sequences like checkout flows or OAuth/SAML protocol interactions.
- **Cloud Environments (AWS):** Specifically targets environments configured with complex AWS IAM policies susceptible to privilege escalation vulnerabilities.
- **Fuzzing Infrastructure:** Any existing security testing infrastructure where code coverage is incomplete.
## Mitigations
- Development and deployment of counter-tools designed to identify content generated by AI versus human activity (noted as an ongoing "cat and mouse game").
- Expansion of existing security tooling (like Burp extensions) to analyze sophisticated request sequences (e.g., multi-step protocols) rather than just single requests.
- Utilizing AI analysis tools (like EscalateGPT) to proactively identify complex privilege escalation risks within cloud IAM configurations before exploitation.
- Using LLMs to augment existing fuzzing efforts by generating missing test harnesses to increase code coverage.
## Conclusion
The integration of LLMs into security workflows presents significant efficiency gains for defenders, particularly in speeding up tasks like code analysis, policy review, and test case generation. Concurrently, these technologies empower threat actors to create highly contextualized social engineering attacks and potentially automate vulnerability scouting. Security professionals must treat AI as a powerful, imperfect tool to leverage for productivity while remaining vigilant against AI-enhanced offensive capabilities. No specific IoCs or concrete patch details were provided in the context related to this discussion.