ChatGPT For Cybersecurity

00:02

foreign

00:04

[Music]

00:08

here back again with another video in

00:12

this video I'm going to be showing you

00:14

how to utilize chat GPT for cyber

00:17

security

00:18

um so I'm gonna you know start off by

00:19

explaining what it is uh because a lot

00:21

of you have asked me about it and uh

00:23

sort of giving you examples of how it

00:25

can be used both on the red team side of

00:28

cyber security as well as the blue team

00:30

site and of course we'll be discussing

00:32

my haircut in the comments section but

00:34

let's get started so I'm just going to

00:37

give you a you know very uh brief

00:39

introduction uh in the form of slides

00:42

because I think that's most appropriate

00:44

um so why am I making this video uh well

00:46

firstly as you already know chat jpt has

00:49

received a lot of attention from the

00:51

technology industry and specifically the

00:53

cyber security industry and this is

00:56

something that you know uh you know took

00:58

open AI the company behind chat jpt by

01:01

surprise uh given the fact that you know

01:03

cyber Security Professionals will

01:05

quickly jump on chat apt and test it and

01:08

we've discovered a lot of crazy things

01:09

that can be done so the main objective

01:13

here is to show you how you can how tall

01:15

to use it is very very simple and then

01:16

of course show you what it's capable of

01:18

at a very basic level of course I'm

01:20

encouraging you to try it out for

01:22

yourself so there have been a lot of

01:24

questions surrounding the impact uh you

01:26

know the effects that chap uh chat GPT

01:28

will have on cyber security uh the cyber

01:30

security industry and practitioners so

01:32

that's one of the second reasons why I'm

01:34

making this video is I've gone a lot of

01:37

private messages are asking me well uh

01:39

you know chat GPT is cool but what

01:41

impact will this have not just through

01:44

chat GPT but generally speaking what

01:46

impact will AI have on cyber security

01:49

and will this affect cyber security jobs

01:51

so on and so forth and the other reason

01:54

of course is it's an invaluable tool or

01:56

resource that can be used to improve

01:58

your ksas that is knowledge skills and

02:00

abilities in a particular field within

02:02

cyber security but not limited to cyber

02:05

security as you'll see and finally of

02:07

course it's a game changer in my opinion

02:09

now the main question is why have I

02:11

taken this long to make a video on

02:14

chatgpt well the reason for that is

02:16

firstly I wanted to try it out for

02:17

myself

02:18

and also think quite deeply about the

02:22

second Point here which is a question

02:24

and that is how will this affect cyber

02:26

security in the long term all right and

02:28

I'll be answering that towards the end

02:30

of the video so lots of reasons and I

02:34

wanted to take my time and sort of under

02:36

stand it get an idea of what it can and

02:38

can do what are its benefits and of

02:41

course limitations so that begs the

02:43

question what is chat GPT well chat GPT

02:47

is an AI driven chatbot launched by

02:50

openai in November 2022 it is trained

02:54

using reinforcement learning from Human

02:56

feedback which is a um

02:59

a learning technique and of course that

03:02

the abbreviation for that is RL HF which

03:04

I'll touch upon and it's built on top of

03:07

openai's GPT 3.5 family of large

03:10

language models and is fine-tuned with

03:13

both super supervised and reinforced

03:16

learning techniques and you can get

03:17

started with uh chat DPT by visiting the

03:20

following link it is currently free at

03:22

the moment because it's still in the

03:23

preview mode and I'll explain what that

03:27

means but you'll actually learn a lot

03:29

about this shortly so

03:31

that's essentially an intro to chat GPT

03:33

now the best way to show you this is to

03:36

actually give you a demo so I'm going to

03:37

switch over to my browser and we can get

03:40

started

03:42

all right so I'm currently on the open

03:44

AI website and the reason I want to

03:47

start off here is because this is your

03:49

starting point so you'll need to create

03:51

an account is free and then you'll have

03:52

access to uh chatgpt or the chatbot

03:56

itself which is accessible on the

03:57

chat.openei.com

03:59

but before that we need to understand a

04:01

few things so right on the website we

04:04

have a a brief description so you can

04:06

see chat GPT optimizing the language

04:08

models for dialogue so we've trained a

04:11

model called chatgpt which interacts in

04:14

a conversational way that's very

04:15

important one of the the great things

04:17

that a lot of people have liked about

04:18

chat GPT and really on the utilized is

04:22

its conversational uh method of of

04:25

interacting with you or with you know

04:28

you interacting with it so what this

04:30

means is that the dialog format makes it

04:32

possible for chat TPT to answer

04:34

follow-up questions which is something

04:35

again that you should take advantage of

04:37

admit its mistakes challenge incorrect

04:40

premises and reject inappropriate

04:43

requests so in addition to just giving

04:45

you answers and you're responding in

04:47

let's say a way that it expects you know

04:49

sort of asking a follow-up question you

04:52

can also you know essentially tell the

04:56

actual chatbot that hey this doesn't

04:57

look correct and uh you know the

05:01

response obviously will either be too

05:03

you know to cross verify that or to tell

05:05

you you know this is where it's limited

05:07

so on and so forth so

05:10

um chat Deputy is a sibling model to

05:12

instruct GPD which is trained to follow

05:14

an instruction prompt and provide a

05:16

detailed response and of course you can

05:19

scroll down right over here and you know

05:21

you know they essentially go over some

05:23

of its strengths and weaknesses and at

05:25

the moment you can see it's free uh

05:27

during the research preview stage and

05:30

this is a tool that obviously is gonna

05:32

be priced or BPI is going to be behind a

05:35

paywall and you'll see why in a couple

05:38

of seconds so you can see that again

05:40

they give a couple of examples here

05:42

specifically for developers where you

05:44

can put in a code snippet or a chunk of

05:47

code and say this code is not working

05:49

like I expect how do I fix it all right

05:52

so there's two questions in that one

05:53

statement and it's a very detailed

05:55

specific question and you know you the

05:58

user paste in the snippet of code and

06:01

you can see the response from chat GPT

06:03

is you know tells you it's difficult to

06:04

say what's wrong with the code without

06:05

more context so this is something that's

06:08

very very important uh for bespoke

06:11

questions or very nuanced questions

06:14

um you will be required to provide

06:16

context and that is something that you

06:19

need to be acutely aware of anyway you

06:22

can see that jtbt responds and you know

06:25

the user says the error never surfaces I

06:28

think there's something wrong with the

06:30

channel so you know there's essentially

06:32

a conversation there so on and so forth

06:34

and they go ahead and explain the

06:36

methods so this is where we have the um

06:38

reinforcement learning from Human

06:40

feedback uh technique and this is the

06:44

same technique used or the same method

06:46

that's used as or within instruct GPT

06:49

with slight differences in the data The

06:52

Collection setup so they've trained the

06:53

initial model using a supervised

06:55

fine-tuning human AI trainers provided

06:58

you know provided conversations in which

07:02

they played both sides the user and the

07:04

the AI assistant we gave the trainers

07:07

access to model written suggestions to

07:10

help them compose their responses we

07:12

mixed this new dialogue data set with

07:14

the instructor GPT data set so on and so

07:16

forth so they actually explained this

07:18

entire process which I recommend you go

07:20

through and of course they outline the

07:23

limitations so I'll specifically talk

07:27

about one of the limitations here

07:31

and uh this one right over here so the

07:34

model is often excessively uh verbose

07:36

and over uses certain phrases such as

07:39

restating that it's a language model

07:40

trained by open AI so on and so forth

07:42

and you'll actually see that so

07:44

uh yeah and then finally of course it's

07:46

an iterative deployment so do take note

07:49

of that and um you know you can actually

07:51

go through their website now to get

07:53

started uh you can see I've signed in

07:55

and this is the interface uh

07:58

fundamentally speaking so you can see

08:00

that you have the Discord server at the

08:02

bottom here and you can switch to a

08:03

light mode or a dark mode and you can

08:06

you know check the latest updates and

08:08

the FAQ pages and you can log out and

08:10

you can create new chats here so I'm

08:13

currently interacting with it here and

08:14

it gives you very useful uh very useful

08:17

starting point so you have examples

08:18

capabilities and limitations

08:21

and we're going to be taking a look at a

08:24

couple of examples both on the red team

08:26

side and the blue team side of things so

08:28

just keep that in mind and you know

08:30

you'll actually see how powerful this is

08:33

um so to get started um how does this

08:35

work well you essentially ask it a

08:36

question all right that's very very

08:38

simple you just say uh you know so I can

08:40

ask for example what is red teaming very

08:44

simple question right and this is how

08:47

it'll respond so it'll say red taming is

08:49

a method you know of evaluating the

08:50

strengths and weaknesses of plan

08:51

organizational or system by simulating

08:54

the actions of an adversary uh we can

08:57

send you know

08:58

uh we can then ask it a follow-up

09:00

question this is not really a good

09:01

example but um I'll show you what that

09:04

looks like so you ask it a question and

09:05

it gives you a definition now one of the

09:08

the issues that I have especially for

09:10

researchers is this definition of course

09:13

does not you know it doesn't tell you

09:15

where it's obtained the definition of

09:16

course there's multiple sources behind

09:18

the data set but it doesn't give you the

09:21

actual sources so for researchers you

09:23

know this will sort of give you a very

09:24

succinct explanation which you can then

09:27

derive from and then perform further

09:29

research but you know you ask it a

09:31

question and

09:32

um you know

09:33

it then gives you a response based on

09:35

what you asked it so in this case I can

09:37

say what's uh for example what is nine

09:41

times eleven sorry what is nine

09:45

um times 11.

09:47

I can ask it that uh the way and say

09:49

that uh is incorrect all right that's

09:53

sort of the responses that you can give

09:57

so you can see I told you that it's

09:59

incorrect now of course I know it's

10:00

correct but it tells you right over here

10:03

I apologize for the mistake the correct

10:04

answer is 99. please let me know if you

10:06

have any other questions so this is one

10:08

of the important things that I wanted to

10:10

touch upon is that you can have a

10:12

dialectic

10:13

um you know discussion or dialogic

10:16

discussion with the actual chatbot and

10:18

it's very intelligent now of course I've

10:20

used very stupid examples but you also

10:22

have the ability to modify your

10:24

questions and more importantly you can

10:26

also start a new chat so I'm just going

10:28

to delete this one here because if you

10:31

take a look at this here it remembers

10:32

what the user said earlier in the

10:34

conversation so for different topics and

10:36

contexts I'm just going to create a new

10:38

chat like we have over here so I'll give

10:41

you a simple example of what a cyber

10:43

security student or practitioner may ask

10:45

a chat GPT so for example I can say uh

10:49

let's try and change it we can say how

10:52

can I scan uh for SMB vulnerabilities

10:58

with nmap you know that's a it's a very

11:02

I wouldn't say it's a very specific

11:04

question but we're asking it a question

11:06

that's loaded with context and uh what

11:09

am I saying when I say this well we've

11:10

mentioned a tool we've mentioned a

11:13

specific technology SMB and this is in

11:16

the context of both offensive and

11:18

defensive security but I can say you

11:19

know I can ask the question here

11:21

uh now this is one of the issues with

11:23

its verbosity in that it now it gives

11:25

you a definition of nmap which is very

11:26

very helpful

11:28

um but um you can see that uh right over

11:32

here it gives you the definition of what

11:33

nmap is and then it says to scan it uh

11:36

to scan for SMB vulnerabilities with

11:38

nmap you can use the following command

11:39

and it actually gives you the the actual

11:41

code snippet here so nmap you limit the

11:44

scan to Port 445 and then you specify

11:47

the script option and then you specify

11:49

the SMB vulnerability scripts but use

11:53

the wildcard flag right over here or the

11:56

wildcard option to specify that you want

11:58

to use all nmap scripts and then specify

12:00

the Target right and then it gives you a

12:02

follow-up explanation which is awesome

12:03

so it tells you that this will scan the

12:05

target host for network uh this will

12:07

scan the target host on network for SMB

12:10

vulnerabilities and then it explains

12:12

what each of the options in flag flags

12:14

do and then it says radio you can also

12:16

use the a option to enable OS detection

12:19

and version scanning so on and so forth

12:22

so

12:23

I mean this is absolutely incredible if

12:26

you think you know if I think about it

12:27

from when I was a student or when I was

12:29

getting into cyber security this is an

12:32

invaluable resource now why am I saying

12:34

this you know you might be saying well

12:35

there's resources online that you can

12:36

find via Google and that's true however

12:39

to ask to be able to ask a question like

12:42

this with a very basic I would say

12:45

grammar or I did maybe I didn't

12:46

structure it correctly but I had enough

12:48

context and for this explanation uh you

12:51

know for this question to be answered

12:52

with such a you know really well written

12:56

explanation and examples of code

12:58

Snippets as well as

13:01

um the actual explanation of what the

13:03

command does is absolutely fantastic so

13:07

that's a very basic example now we can

13:11

try out a couple of other examples so

13:13

for example you know I can say

13:15

um

13:16

generate a PHP reverse shell one liner

13:21

now this is you know you may be asking

13:23

yourself can I do this well of course so

13:24

it gives you the definition of what a

13:27

reverse shell is and then absolutely

13:30

incredible it provides you with a

13:34

it provides you with a PHP reverse shell

13:37

one-liner and explains how it works

13:40

fundamentally speaking I mean this is

13:42

absolutely insane now follow-up question

13:44

that I could ask is

13:46

encode the code above

13:50

you know

13:51

and then right over here it tells us you

13:54

know to encode the PHP reversial one

13:56

lineup you can use a tool such as base64

13:59

so you know we didn't provide it with

14:01

context with regards to how we want to

14:04

encode it but you know we can ask

14:05

follow-up questions and this is

14:08

absolutely phenomenal so it encodes it

14:10

in base 64. and you can see this will

14:13

output the encoded version right over

14:15

here that's how to generate it as a you

14:17

know one-liner base64 string and to

14:21

decode it you know it gives you

14:22

instructions not to decode it so

14:25

absolutely phenomenal so these are just

14:27

a couple of examples now I can even go a

14:29

bit further with this I can say for

14:32

example

14:33

um

14:34

let's try something a bit a bit more

14:37

nuanced so I can say uh how can I fuzz

14:41

uh sorry let me type that in correctly

14:43

how can I fuzz 4

14:46

um XML files with gobuster and let me

14:50

make sure you guys can see this but

14:52

there we are you can see how can I fast

14:53

for example files with Go Buster

14:56

that we also gives you a definition of

14:58

what gobuster is and um

15:01

you know this is absolutely incredible

15:05

so it actually explains really

15:08

everything about that particular command

15:10

and it then gives you an example

15:13

and I can show you another follow-up

15:15

that you can ask it as you know as we

15:17

are curious pen testers really uh you

15:19

know we could maybe say all right so

15:23

um

15:24

let's see if I can if this will work so

15:26

I can say

15:27

um

15:48

uh we can say fuzz how can I I'll just

15:51

write it here so using the above code

15:52

how can I also limit gobuster to fuzz or

15:56

um PHP files

15:59

that return

16:01

a let's see this is actually a quite

16:04

difficult return a not difficult you

16:06

know very simple to understand to

16:08

understand but let's say return a 200 uh

16:12

status code

16:14

let's see if this actually works this is

16:16

uh you know

16:18

there we are it actually works so tells

16:20

us how to limit uh you know files that

16:23

were found that return at 200 um an HTTP

16:26

200 status code so I mean this is

16:30

absolutely incredible now of course

16:32

we're taking a look at Red Team examples

16:34

and I'll I'll go through a couple more

16:35

just to show you how robust this is and

16:38

uh you know again the same question may

16:40

be asked uh you know

16:43

wouldn't be wouldn't this be easier to

16:45

search for directly on Google and the

16:47

answer is yes you can search for the

16:49

same thing however I don't think Google

16:51

can answer this question as specifically

16:53

as chat GPT has so for sure once the

16:57

research preview has ended they are

16:58

going to put this behind a paywall I

17:01

definitely deserves that I mean I'd be

17:02

happy to pay for this I found tremendous

17:06

use

17:07

um

17:08

I found this extremely useful when doing

17:10

research so on and so forth but uh you

17:13

know that's just a very basic example

17:15

that you can do now you may be asking is

17:17

it just limited to commands can we

17:19

generate some code of course we can so I

17:21

can say

17:22

um

17:23

generate a Shell Code

17:26

uh that executes

17:29

cmd.exe so let's say you want to

17:31

generate some Shell Code all right it

17:33

explains what's Shell Code it explains

17:35

what shell code is and then it gives you

17:39

some sample Shell Code that will execute

17:40

command.exe

17:43

all right there we are so just wait for

17:46

it to complete generating of course it

17:48

doesn't format it correctly but you get

17:50

that there now of course another thing

17:52

that I need to State and you'll see this

17:54

shortly is based on their

17:57

uh the actual policies and guidelines

18:00

you can really you know

18:03

interact with chat GPD in a way that may

18:06

produce results or information that

18:08

could be used for illegal activity so I

18:11

can say you know generate a phishing

18:13

email and you'll see the response here

18:16

so once it's done with this particular

18:18

question

18:20

or query if you will

18:22

I can say generate a phishing email

18:24

there we are so it tells us right over

18:26

here this content may violate our

18:28

content policy and what we can do then

18:31

let's say you know we don't regenerate a

18:33

phishing email it's too abstract anyway

18:35

but let's say we're trying to generate

18:37

some a very well written email so we can

18:40

for example say

18:42

um

18:43

let's see

18:45

um I can say write an email informing

18:49

employees of uh sorry let me type that

18:53

in

18:54

informing employees

18:56

of end of year bonuses

19:00

let's say we want to perform you know

19:02

phishing campaign we want to generate a

19:05

very well written email you can see it

19:08

actually does that for you so I mean

19:09

this is absolutely insane even more

19:11

insane than my haircut so anyway uh

19:14

getting back to this but uh you know it

19:16

actually it actually highlights areas of

19:19

substitution but there we are dear old

19:21

uh I am pleased to announce that our

19:23

company will be offering end of year

19:24

bonuses to all employees and of course

19:25

you can modify this and say click on the

19:27

following Excel or click on the

19:29

following document and sign it so on and

19:30

so forth and you know the that

19:32

particular document could contain a

19:34

macro speaking of macros can we generate

19:38

a macro

19:40

um let's try this we can say generate a

19:43

macro that executes and I'm sticking to

19:47

cmd.exe for Simplicity here that

19:50

executes cmd.exe

19:54

all right so it explains what macros are

19:56

in the context of office or the office

19:58

suite

20:00

um and it actually generates that macro

20:03

so

20:05

uh yeah yeah this is absolutely insane

20:09

uh and then you know I can ask it a

20:10

follow-up question

20:12

um

20:15

on the above code modify the above code

20:19

uh

20:23

to execute

20:26

a

20:29

Powershell script I know this is quite

20:31

stupid but uh you know I can ask it to

20:33

do this you can see that the only thing

20:35

substituted would be you know specifying

20:37

the path to the actual partial script

20:39

but I mean absolutely phenomenal I I

20:42

don't know whether you guys can see how

20:43

excited I am and this is this is like

20:45

insane do I have this type of resource

20:48

available is uh I mean I I can't even

20:51

believe that I'm seeing this

20:54

um

20:56

whatever you are doing this you know

20:58

some buff overflows which I'll be

21:00

covering on the channel uh but you can

21:01

say

21:04

C code vulnerable

21:07

to buffer overflows

21:11

you know very simple question explains

21:13

what a buffer overflow is

21:15

and

21:17

there we go generates the C code and

21:20

then it'll um let's see if it actually

21:21

provides an explanation there we are as

21:23

to why it is vulnerable so this can be

21:25

seen as both you know useful from the

21:27

perspective of a red team and blue team

21:31

um

21:32

but you can see there we are it actually

21:34

explains that and uh

21:38

we can say fix the above code if I can

21:43

type correctly today

21:45

there we are and um

21:48

where it'll actually show you how to fix

21:50

the the buff overflow vulnerability this

21:53

is this is mind-boggling guys and of

21:55

course I would love to hear what your

21:57

thoughts are in the comments section now

21:58

I'll be making follow-up videos on chat

22:00

GPT because there's a tons there's tons

22:02

of resources you know the desktop

22:04

applications the browser extensions uh

22:07

plugins for you know tools like Ida that

22:09

have been released I'll be covering them

22:11

how they they can sort of be utilized to

22:14

streamline the operations but these are

22:17

sort of the examples now I'll touch on a

22:20

couple of other examples for red team as

22:21

and I'll show you some blue team

22:23

examples

22:24

um you know so

22:25

and another one maybe could be uh you

22:28

know generate a bash script and this is

22:32

really cool and I'll show you why bash

22:34

script to that

22:36

um

22:37

that automates Port scanning within map

22:42

all right

22:46

I mean this is it actually provides

22:48

documentation I mean this is absolutely

22:51

insane now of course

22:53

this is something that you need to

22:54

verify you know you can't just take this

22:56

and run it in the case of more complex

22:59

pieces of code but it also tells you how

23:02

to execute the

23:04

just absolutely insane hope you guys are

23:07

excited as I am so that's very simple

23:09

but we can also do a bit of chaining

23:11

here so in addition to that I can say uh

23:15

I need a bash script

23:18

that automates

23:21

a sub domain enumeration with a tool

23:26

with you can say sublister

23:30

and

23:32

um

23:32

takes screenshots

23:39

with eyewitness this is more so for

23:41

those you know of you who are bug bounty

23:44

hunters uh it actually generates it and

23:46

looks like it gives us that uh

23:48

uh warning here

23:50

but uh

23:52

with regards to context I mean

23:55

I I can't believe what I'm saying I mean

23:58

honestly I don't know whether you guys

23:59

can

24:01

um this is absolutely insane so you can

24:03

say it you know prompts the user for the

24:05

sub for the Target domain and then

24:07

enumerates it with uh with subflist

24:10

auto-based the process and it outputs it

24:12

into a text file and then utilizes

24:15

eyewitness to take screenshots and yeah

24:18

just absolutely insane now

24:23

um

24:24

another cool example that I had seen

24:26

recently on Twitter is we can say

24:29

generate a CTF

24:32

challenge

24:34

um that contains an SQL injection

24:40

vulnerability

24:42

okay

24:45

oh all right okay all right yeah so we

24:48

got the error there doesn't look like it

24:50

works anymore but I'll show you

24:51

something really interesting in a second

24:52

so we've taken a look at some really

24:54

interesting red team examples I'll touch

24:56

upon blue team so let's take a look at

24:58

that now

25:00

all right so

25:01

I have created a new

25:04

um a new chat here so for blue team how

25:07

can this be used well let's take some

25:09

tools that you typically utilize so for

25:12

example we can say let's say we're

25:15

trying to learn how to

25:17

write a search query to identify changes

25:21

in Windows registry right on the Windows

25:23

registry from

25:25

the logs that are and events that are

25:27

being sent to Elk so you can say elk

25:29

query to detect

25:32

um registry changes

25:36

okay that gives you an intro to the

25:40

elastic or rather the elk stack and then

25:44

I hope you guys are seeing this but uh

25:47

there we are

25:51

here we are so event ID of 13 and uh

25:54

absolutely insane

25:56

uh so you can actually use this up you

25:58

know a couple of examples are you know

26:01

rejects or we can just say regular

26:04

expression

26:07

um

26:07

built a IP addresses

26:10

in Splunk let's say

26:15

all right it explains what regular

26:17

expression is

26:18

and of course the code or rather the

26:21

regular expression you can use to filter

26:22

an IP address in Splunk and now for the

26:25

final example in this case I'll use my

26:27

own piece of code I'm going to paste in

26:29

a piece of code here a PHP code that is

26:33

vulnerable to SQL injection because of a

26:35

lack of input sanitization

26:37

and I'm going to show you that it can

26:40

actually identify the issue again

26:42

without you know if we had asked jpt to

26:45

show give us an example of PHP code that

26:47

was vulnerable to SQL injection hey you

26:50

might be thinking yourself well you know

26:51

it's going to it's going to very easily

26:53

do that but let's provide our own code

26:55

and let's see how smart it is at

26:57

detecting that

26:58

all right so I've just brought up a

27:02

a PHP piece of PHP code that is

27:05

vulnerable to SQL injection so you know

27:07

like in this case I can say

27:10

um

27:10

what's wrong with this PHP code

27:16

very simple right and I paste in the

27:18

snippet there

27:20

and it tells us that there's a few

27:22

potential issues with the PHP code so it

27:24

says the arcv arrays used to pass

27:26

command line arguments to a PHP script

27:28

this is correct and then of course the

27:31

second Point here the get arrays used to

27:33

pass data to the to a PHP script through

27:37

the URL query string but it is not safe

27:40

to use uh user provided

27:43

um

27:43

let's see it's not safe to uh to use

27:46

user provided data directly in a SQL

27:49

query an attacker could manipulate the

27:50

ID parameter in the URL to form an

27:53

injection attack which could allow them

27:55

to execute arbitrary SQL statements at

27:58

potentially compromise the database to

28:01

fix these issues you could consider the

28:02

following wrap the code that passes so

28:05

on and so forth the following and then

28:08

the if statement itself and then use

28:10

prepared statements and you know it

28:12

actually gives us an example of how we

28:15

can modify the code to address these

28:16

issues so think about this from the

28:19

perspective of a blue team or even a web

28:20

developer or a developer in general you

28:23

can easily identify issues in your code

28:25

if you're if you know if you're new to

28:27

development or

28:29

if you're trying to find vulnerabilities

28:31

in your code and I mean yeah it's it's

28:34

incredible and of course I've just shown

28:36

you some very very basic examples here

28:39

now I've uh of course I'm not going to

28:41

go through some some more examples

28:43

because I think you guys get the gist of

28:45

what I'm saying here of course I

28:47

recommend trying it out yourself and I'm

28:49

just gonna clear my conversations here

28:51

but now coming to the question one of

28:55

the the actual incentives for making

28:57

this video and that was how will this

28:59

affect cyber security the industry in

29:02

general and of course practitioners and

29:05

from the questions I received it seemed

29:07

that there was sort of a negative

29:08

connotation Associated or attached to

29:11

the question which makes sense because a

29:12

lot of people are saying well if

29:15

you know a chatbot

29:18

a natural language processing chatbot

29:20

can do this and has enough context to

29:23

answer these types of questions doesn't

29:25

that sort of make in a way

29:29

penetration testers or cyber security

29:32

practitioners redundant in a way and of

29:35

course the answer to that is of course

29:37

not right in the case of chat GPT but

29:41

the question was

29:43

widely asking the impacts of AI on cyber

29:46

security and of course you know based on

29:49

what we've seen here it's very clear to

29:52

me after thinking about it long and hard

29:54

having

29:55

uh you know practiced in the cyber

29:57

security industry for a long time after

29:59

having developed training material and

30:02

you know I I essentially understand a

30:04

lot about instructional design with

30:07

regards to cyber security and how to

30:09

assess

30:11

the knowledge skills and abilities of

30:13

let's say a pen tester right and based

30:16

on what I've seen here it's very clear

30:18

that chat GPT is not going to you know

30:22

is not going to get any anyone is not

30:25

going to kick anyone out of a job in

30:27

cyber security instead it is going to

30:30

enhance their Knowledge and Skills with

30:34

regards to whatever they're doing

30:35

whether they're a pen tester or a blue

30:37

teamer or even a developer as I pointed

30:39

out now what do I mean by that well

30:42

uh you know nist and the nest nice

30:45

framework utilizes knowledge skills and

30:48

abilities to essentially categorize or

30:51

break down

30:53

um a person's let's call it

30:56

um

30:58

a person's ability to do something or

31:01

their

31:02

their Readiness I I I really can't

31:05

explain it in very simply but it

31:08

essentially assesses and determines as

31:10

it says right over here the best

31:12

applicants are when several candidates

31:14

qualify for a job all right so

31:17

it's known as the knowledge skills and

31:20

abilities framework it's widely used and

31:22

it's very very important as I said the

31:23

next nice framework is adopted by many

31:26

governments uh companies as well as you

31:29

know intelligence units so on and so

31:31

forth It's adopted by a lot of a lot of

31:34

organizations for various reasons

31:35

because

31:37

uh again as I said it determines who the

31:40

best applicants are when several

31:42

candidates qualify for a job the

31:45

knowledge skills and abilities necessary

31:46

for the successful performance of

31:48

opposition are contained on each job

31:50

vacancy announcement so you know it's

31:52

broken down into knowledge skills and

31:54

ability so knowledge consists of these

31:56

subjects topics and items of information

31:57

that an employee should know at the time

32:00

he or she is hired or moved into the job

32:02

let's just disregard

32:04

this here all right so knowledge is

32:07

essentially referring to your

32:08

theoretical

32:10

understanding of the field that you're

32:12

working in when I say theoretical I mean

32:14

understanding of what your role consists

32:17

of at a high level uh so sort of

32:20

understanding the elements that make up

32:22

you know your job and understanding them

32:25

theoretically very well skills refer to

32:27

the technical or manual proficiencies

32:29

which I usually learned or acquired

32:31

through training or through application

32:34

or empirical

32:36

empirical actions so this is where you

32:39

know uh you know none of these precedes

32:42

the other but you'll typically you'll

32:44

typically start off with knowledge so

32:45

you know you have your skills now and

32:47

this is where you're able to now take

32:49

information which is what we did with

32:51

chat GPT where you can ask it a question

32:53

you get knowledge regarding a particular

32:55

topic and I'm speaking very micro now

32:57

you know I can ask it what is adverse

32:59

remulation it tells me what adversary

33:01

emulation is I can ask it some follow-up

33:02

questions but at the end of the day I

33:05

still need to go and do that out

33:07

manually okay and that's where skills

33:10

come into play so with regards to how

33:13

charged apt will impact or affect cyber

33:15

security

33:17

I think that it will greatly

33:20

I mean

33:21

incredibly improve knowledge that the

33:24

knowledge of the the Next Generation and

33:26

the current generation of cyber Security

33:28

Professionals because you'll be able to

33:30

again get answers to your questions very

33:33

very quickly uh very efficiently and

33:36

you'll essentially improve or better

33:38

your understanding of whatever you're

33:39

you know you're doing or you're trying

33:41

to learn or whatever you're practicing

33:43

and of course this applies to not just

33:44

students but practitioners cyber

33:46

security practitioners people who work

33:48

in jobs as I give you an example with

33:50

the the elk query example where you know

33:53

if you're someone working in a blue team

33:55

and you're having a bit of issues you

33:56

can sort of offload a bit of the problem

33:59

solving to chat GPT or help it make you

34:02

understand what you need to do from a

34:05

fundamental level and this is where as

34:07

an individual you can then assess your

34:09

gaps in knowledge so if you're having a

34:12

a tough time with writing elk queries

34:14

and you utilize chat GPT you can

34:17

essentially say okay I clearly don't

34:19

understand this enough

34:21

can you help me get started with

34:24

learning regular Expressions how to

34:26

write regular Expressions then you move

34:27

on from there but at the end of the day

34:29

this would still need to be done

34:31

manually so

34:32

you then have abilities right abilities

34:34

present demons uh demonstratable

34:37

capacity to apply several knowledge and

34:39

skill simultaneously in order to

34:41

complete the task or perform an

34:43

observable Behavior so this is referring

34:45

now to your actual job right skills is

34:47

really talking about

34:49

um you know technical or manual

34:50

proficient proficiencies and highlight

34:54

your ability to do things uh like I

34:57

don't use the word ability but

34:59

highlights your competency with regards

35:01

to performing what fall what falls under

35:03

your your actual job role and your

35:05

responsibilities and then abilities

35:07

present demonstratable capacity to apply

35:10

several Knowledge and Skills

35:11

simultaneously so sort of the

35:12

intersection of all of the elements that

35:14

make up your job role so if you think of

35:17

a blue team abilities is where you have

35:19

the ability to detect threats

35:22

um perform correlation perform incident

35:25

handling incident response on and so

35:27

forth so

35:28

as I said the reason why I use this is

35:31

to sort of break that down of course

35:32

I've rambled on for a long enough time

35:34

but I think that jpt will greatly

35:37

improve this aspect here knowledge uh

35:40

and it'll make people much more

35:41

efficient with regards to what they're

35:43

doing and will make learning much more

35:45

efficient now as I said this area here

35:48

is something that again will not change

35:51

at least in my opinion unless AI systems

35:54

actually start doing this themselves but

35:57

even with that being done it would still

35:59

need manual verification because again

36:02

it's very difficult to

36:04

at least in the short term assign some

36:08

form of responsibility to a system to

36:10

essentially you know for example find

36:12

vulnerabilities in code fix them without

36:14

breaking let's say a web application but

36:17

at a very basic level they can do that

36:19

at the moment but these two I think here

36:21

is where humans will still be required

36:24

obviously uh but um

36:26

you know with regards to knowledge you

36:28

can obviously see that it's sort of you

36:31

know it's absolutely amazing and that's

36:34

essentially what I wanted to point

36:36

across instead of looking at chat GPT as

36:39

a threat to you and you know your skills

36:41

or whatever because even when I tried

36:43

this I was like wow this is I mean wow

36:46

you you can ask any question you had

36:49

really at you know take into account all

36:52

of the the limitations you can ask it

36:54

you know anything you had and it's much

36:56

faster than a Google search much faster

36:58

than watching a video which is a bit

37:00

scary to say but uh

37:02

this is one of the reasons why I focus

37:04

on this framework because

37:06

in my videos I try and cover all of this

37:09

right and of course abilities now come

37:12

through repetitive action and having an

37:15

understanding of different aspects of in

37:17

our case cyber security but I touch upon

37:19

knowledge so I explain things to begin

37:21

with and then I go over the skills or

37:23

how to use a tool you know so on and so

37:25

forth this is what you do in this case

37:27

on etc etc and then abilities is taking

37:30

into account maybe uh one to ten videos

37:33

that combine a lot of things together

37:35

and put it or give you an actionable you

37:39

know an actionable skill if I can use

37:42

that word without you know contradicting