![how to use AI as a soc analyst](https://static.wixstatic.com/media/29a6f6_0230c5d86e9c48dabeba9592b249602e~mv2.png/v1/fill/w_980,h_1250,al_c,q_90,usm_0.66_1.00_0.01,enc_auto/29a6f6_0230c5d86e9c48dabeba9592b249602e~mv2.png)
How to use ChatGPT as a SOC analyst?
This KB will discuss what ChatGPT is, a disclaimer for use, and how to use it as a SOC analyst. This is How to use ChatGPT as a SOC analyst?
What Is ChatGPT?
ChatGPT is the best chatbot humans have ever seen. There are all sorts of fancy words to describe how it works, like the Large Language Model (LLM), or Generative Pre-trained Transformer (GPT), or Machine Learning Driven Research Stealing Internet Models Without Giving Credit to People (MLDRSIMGCP). I just made the last one up but it sounds right. It’s designed for natural language understanding and generation. You can interact with ChatGPT to ask questions, get information, have conversations, or seek assistance on various topics. The model has been trained on a diverse range of Internet text, allowing it to respond to a wide array of queries. And it’s useful, but limited.
It’s important to note that while ChatGPT can provide helpful and informative responses, it may not always be perfectly accurate or contextually appropriate.
And almost everything about being a SOC analyst is real time. ChatGPT 3.5 cannot give you information about website reputation, IP reputation, file reputations, whois information, or any other steps described in The SOC Analyst Method. At the time of this writing, the data used by ChatGPT is only current up to January 2022. Since most indicators of compromise have a short shelf-life, it is out of the question to use ChatGPT to verify the reputation of IOCs.
But there are a couple of applications for ChatGPT that you will find very relevant as a new SOC analyst that can help springboard your career and lessen the water from the firehose you’ll drink from in the first year.
Disclaimer on Terms of Service for ChatGPT
No one ever reads the terms of service for a product, but you might want to glance over ChatGPTs if you find yourself working for a company and decide to use ChatGPT to analyze some code found on a computer you’re investigating. OpenAI, which created ChatGPT, now has that code saved on its systems. You might ask, “So What?” The code triggered an alert, and you were just doing your job, right? In this scenario, what if you worked for a software company and the code is part of an app under development that hasn’t been released to the public, and you’ve inadvertently given it away to OpenAI? For this very reason, some companies have policies against using ChatGPT and other LLM AI models. Be sure to understand your organization’s stance on using ChatGPT before using it for official business.
With that said, let’s have some fun.
Code Review
ChatGPT knows what malicious code looks like with some degree of certainty and it knows how to analyze it for vulnerabilities, but likely not better than tools designed for this task. You might find an occasion to paste a script into ChatGPT and have it explain to you the context and nature of it without having to read through it line by line, even if you knew the language. You can also ask it if it looks malicious or not and take the information it gives you to further study it. This is particularly helpful to an analyst when analyzing powershell from your endpoint tool, or perhaps, javascript from an IPS alert. When you see those alerts, you can pop the script into ChatGPT and ask questions about it. But the reality is, only rarely would this be practiced in the real world. If you’re seeing it now then your endpoint tool, IPS, WAF or whatever have already alerted you that it looks malicious and those tools should be used first as a source of truth because that’s what they specialize in. However, if the tools don’t give you enough information, pasting it into ChatGPT might give you additional insight.
EXERCISE ONE
Go to https://github.com/explore and find a random, publicly available piece of code and copy it into the ChatGPT message bar and ask, “What does the above code do?”
This will give you an example of how ChatGPT can be used effortlessly. It doesn’t matter if the code is 20 lines or 500 lines long; ChatGPTwill explain the purpose of the code in simple language.
File Paths
You might find an opportunity to paste a file path into ChatGPT to have it determine if it belongs to a legitimate application. Let’s take into consideration that this data is two years old at this point so it can only be used to check what it’s seen before, not to be used as evidence that something is malicious because the file path is anomalous. New files come out every day that are completely legitimate and old files get new file paths. Sometimes, it’s worth a quick check to confirm a file is in the correct place.
EXERCISE TWO
Go to ChatGPTand type in:
“Is this file path malicious C:\WINDOWS\System32\Wbem”
“What file path does Malwarebytes typically install to?”
Creating Queries for SOC Analysts
ChatGPT can be used to write YARA rules, Suricata rules, KQL queries, SPL queries, and many other syntaxes for threat hunting or creating rules or alerts. This is the most effective and helpful way to leverage ChatGPT as an analyst. It does this fairly well; you can describe what you want it to find in natural language. This can be extremely helpful to you as a new SOC analyst because you likely need to gain familiarity with these tools to create custom threat hunts or alerts yourself. It may require editing, but it’s much easier than starting from scratch.
EXERCISE THREE
Go to ChatGPT and tell it, "Write a Splunk query that shows me all logs that contain hashes from all indexes"
Enter that query into Splunk and the result is all the malware that we've captured so far in the cyber range.
- Take the hash and go to VirusTotal and enter it in the search.
- Take the hash and Google it for sandbox results.
- Any interesting websites with information about it on Google?
1. What is the name of the tool or malware that this hash relates to?
2. What do you think the attacker was looking for?
EXERCISE FOUR
Go to ChatGPT and tell it, "Write a Splunk query that creates a table of the most source ip addresses descending order over the past 24 hours."
Be sure to read the ChatGPT output and change "src_ip" to "src".
- Take the IP addresses and go to VirusTotal and enter it in.
- Take the IP addresses and go to IPVoid and enter it in.
- Now Google the IP address and see what open source intelligence you can gleam
- Now do a whois on the IP address to get context on who owns it.
1. Do you think this IP address is malicious?
2. Are there any other things hosted at this IP address?
3. How long do you think this IP address has been used this way?
Rewriting
One useful function, especially to those writing in their non-native languages, is the ability to leverage ChatGPT to rewrite your sentences. Report writing and rewriting summaries from the SOC Analyst Method are valuable to us as the SOC is often a global workplace. English might not always be our first language, or even if it is, it may benefit you to have ChatGPT make a write-up. I gave it details and asked it to write a formal Root Cause Analysis (RCA). With minimal editing afterward, I could deliver it to a customer, saving time. But be careful, as sometimes ChatGPT can misconstrue the meaning behind your words and add ambiguity and vagueness where there was once clarity. You may be surprised at the result but don’t let it misinterpret your findings.
EXERCISE FIVE
Ask ChatGPT to rewrite the Declaration of Independence.
Would you allow ChatGPT to rewrite things without approval?
ChatGPT as a Weapon
We’ve discussed how ChatGPT can aid junior Analysts in their day-to-day work; now, let’s talk about how bad actors can use it for malicious means. In a previous article, we spoke of phishing. To recap, phishing is a crafted email meant for a user to visit an evil website or download a malicious file. Historically, one of the tell-tell signs of a phishing email is typos or grammatical errors. This was because English is likely a second language for the person crafting the email. Now, through the magic of LLMs and ChatGPT, an attacker can write an email in their native language, give it to ChatGPT, and ask it to be translated into any language they want with better accuracy than traditional translators. Let’s give it a try; the following is a short phishing email I wrote in English.
“Hello, EvilWebsite.com is committed to providing you with the best possible shopping experience. Our website features the latest products from top brands, and we regularly offer discounts and promotions to help you save money. Click the link below for free shipping on your first order.”
Now, let’s see what ChatGPT outputs when I ask for it to be written in Spanish.
“Hola, EvilWebsite.com está comprometido a ofrecerte la mejor experiencia de compra posible. Nuestro sitio web presenta los últimos productos de las mejores marcas, y regularmente ofrecemos descuentos y promociones para ayudarte a ahorrar dinero. Haz clic en el enlace de abajo para obtener envío gratuito en tu primer pedido.”
How about German?“
"Hallo, EvilWebsite.com ist dazu verpflichtet, Ihnen das bestmögliche Einkaufserlebnis zu bieten. Unsere Webseite bietet die neuesten Produkte von Top-Marken, und wir bieten regelmäßig Rabatte und Aktionen an, um Ihnen zu helfen, Geld zu sparen. Klicken Sie auf den untenstehenden Link für kostenlosen Versand bei Ihrer ersten Bestellung.”
Regardless of the language, ChatGPT can convert it with minimal effort. Overall, OpenAI has done an excellent job of making ChatGPT a safe tool. In the early days of ChatGPT, someone could have ChatGPT write simple scripts that could destroy a computer’s filesystem. However, ChatGPT is one of many LLM AIs on the Internet. At DEF CON 31, there were multiple demonstrations of locally hosted LLMs that were trained to develop malicious code or run a malware Command and Control server. As AI progresses, we will continue to see it used by hacking groups and scammers.
Summary
While ChatGPT is relatively straightforward, knowing when to use it is a little more complex. As we’ve discussed, it does not contain real-time information, limiting its value to us as SOC analysts. Its most valuable use case is that it can write queries for you in languages you haven’t likely come across yet, making security analysis tools faster and more accessible. As ChatGPT continues to improve, even adding the ability to search the Internet, it will increase in relevance to us. However, it will still be limited in the data it can reach without tool licenses. Rewriting is another function of ChatGPT that can help with communication as the SOC is a global workplace, often with challenging barriers for those whose first language isn’t English. Lastly, you can always query ChatGPT for general information about cybersecurity as you would Google. For example, what a particular Windows Event ID might be, and it might save a few minutes of standard Internet searching when it delivers the correct answer immediately.
![Cyber NOW Education: How to start a career in cybersecurity](https://static.wixstatic.com/media/29a6f6_618d031212b64fda87896d100054c76f~mv2.jpg/v1/fill/w_980,h_560,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/29a6f6_618d031212b64fda87896d100054c76f~mv2.jpg)
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.
You can connect with him on LinkedIn.
You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.
Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here
Comments