MA-912.022023: MyCERT Advisory – ChatGPT and Security Best Practices

On November 30 2022, a San Francisco–based OpenAI company launched the ChatGPT. ChatGPT was initially launched as free to the public, with plans to commercialise the service later. By December 4, 2022, ChatGPT already had over one million users and ever since much has been discussed and concerns raised by various parties. OpenAI’s ChatGPT is a language generation model that uses machine learning techniques to generate human-like text. It is based on the GPT (Generative Pre-training Transformer) architecture which has been trained with a large corpus of text data. ChatGPT can be fine-tuned for various natural language processing tasks such as language translation, question answering, and text summarization. The model is available for use through the OpenAI API and can be accessed at OpenAI’s website. ChatGPT is a state-of-the-art language generation model widely used in natural language processing tasks. It has been shown to perform well in text generation and summarization tasks and has also been used in developing chatbots and language translation systems.

Information is scraped systematically from the internet, such as books, articles, websites, news, documents and posts, and potentially taking personal information without consent to be fed to ChatGPT to build the corpus of text data. Users who have written a blog post, product review, or commented on an article online, there’s a good chance ChatGPT consumed this information. Users-published work, including journal articles, was found to be consumed by ChatGPT.

Several studies have been conducted on the performance of GPT-based models like ChatGPT. Studies have shown that these models generate highly coherent and fluent text. However, GPT-based models also have some limitations, such as the likelihood of generating biased or factually incorrect text when given biased input data. Additionally, some studies have raised concerns about the ethical implications of using such models, particularly regarding the potential for them to be used for disinformation and manipulation.

There are several ways how users can access and use ChatGPT. OpenAI API is the easiest and most trusted way to use ChatGPT through the OpenAI API. Users can access the API through the OpenAI website and use it to generate text, translate text, answer questions, and more. To use the API, one needs to create an API key and then use the appropriate API endpoint to make requests. Users could also access ChatGPT via the OpenAI website and register free accounts. Users may then log in to their account and interact with ChatGPT by asking and prompting questions on study topics.

It has been said that ChatGPT could change the way we do our daily work. For instance, entry-level staff can significantly benefit in the incident response field by asking ChatGPT to interpret alerts or detections. Based on the feedback from ChatGPT, they can begin the triage process. A specific example is helping with practitioners’ daily de-obfuscation of suspected malicious code, which typically takes an hour or more.

A staff member could use the existing model and natural language processing to feed all available data about an incident and describe the rationale for a potential response. The staff member could also pose a question about an incident and ask ChatGPT recommendations for resolving the incident, potentially more quickly. For example, an incident response team may take some work to get the necessary solutions for the incidents. This may seem helpful, particularly for the small incident response team. However, users need to be cautious of the limitations of ChatGPT, highlighted in this advisory under Section 6.0.

In malware analysis, ChatGPT could do reverse engineering work in scale, analysing hundreds of thousands of binary samples and providing insights to an analyst. It also can analyse the genetic code of the malware and see where there may be code reuse to identify the author’s fingerprint more quickly.