Check out the evolving landscape of cybersecurity in our latest episode of Golden Nuggets. This video discusses groundbreaking research on how AI, specifically a GPT-4 based agent, is autonomously discovering and exploiting zero-day vulnerabilities with a staggering 53% success rate.
Earl Duby explains the implications of AI-driven attacks that are reducing the critical patching window from months to mere hours, posing new challenges for corporate defenders. Listen to how these advances are reshaping vulnerability management and what measures can be taken to stay ahead.
If you are interested in learning more about Artificial Intelligence and how that can impact information security, join our webinar with eSentire July 24th @ 11am. The link to register is in the comments!!
Transcript:
(0:00) Hey, welcome back for another episode of Golden Nuggets. You know, I was looking at my LinkedIn (0:06) feed the other day and I ran across this article from a magazine called New Atlas, and it’s talking (0:13) about GPT-4, so it’s the next iteration of the LLM GPTs that are out there. And what this group of (0:24) researchers at University of Illinois had come up with is that this agent that they created out of a (0:32) GPT-4 version can autonomously hack zero-day security flaws with a 53% success rate.
So we’re (0:42) going to link the article here so you can take a look at it. But, you know, this is kind of, (0:48) you know, when you think about vulnerability management, this is your, like, worst nightmare (0:52) starting to happen here. And the fact that, you know, in the old days, if Microsoft came out with (0:57) a patch, you know, you had months to apply this patch, you know, so you could test it, you could (1:05) have different teams in your organization try it out, make sure it didn’t affect, (1:10) you know, applications adversely, or it didn’t break some old machine in your environment.
(1:16) But you had time, you know, the announcement would come out that there was a vulnerability, (1:21) and then, you know, there was a period of time that patches would come out, and then you had (1:25) some amount of time to apply the patches. So there was some breathing room there. (1:30) You know, now that you see artificial intelligence and, you know, these large language module or (1:37) LLMs coming out, you start to see that window of opportunity shrinking.
So at the point in time (1:44) where a vulnerability is announced by a software company, to the point where you have to get that (1:51) thing patched, went from months to weeks to days, and now it’s almost becoming hours. (2:01) Because what this, what they’re doing here with these researchers are, these are zero days. So (2:06) these are vulnerabilities that haven’t even been publicly disclosed yet, and they have developed a (2:14) basically a network of agents.
So there’s like a scheduler agent, and then these subordinate agents, (2:22) and they push these things out, and it’s finding vulnerabilities that are in the software but (2:31) haven’t been disclosed yet. And in that article, there’s a discussion about a previous article (2:37) that these same researchers had published, and this was just published in April. So they’re (2:42) pretty prolific in that they’re putting a lot of stuff out there, these researchers.
So I downloaded (2:48) this report for the previous one, and what they were talking about in that report was that (2:57) they created these agents, again, based on LLMs, and then, you know, they put some tools in there, (3:04) and they built these little agents, and they could point them to specific vulnerabilities (3:13) that had CVEs published. So they would, they were looking for these common vulnerabilities and (3:20) exposures in the database. Then they put a prompt in to the agent that says, hey, go exploit this (3:30) vulnerability and keep trying until you can do it, and then they would feed in the CVE.
(3:35) And they found that with feeding the agent the CVE, this LLM agent could exploit that vulnerability. (3:46) And they also found that even if they didn’t feed of the CVE, it could still sometimes (3:53) exploit the vulnerability. So with the CVE data, 87 percent of the time, this autonomous agent could (4:02) exploit the vulnerability and get into that system.
Without the CVE, it was at seven percent. (4:10) So, I mean, seven percent sounds low, but seven percent is still seven out of a hundred times (4:15) this artificial intelligence, or however you want to call it, you know, it could actually (4:22) exploit a vulnerability that is in, you know, out there in the world. 87 percent is crazy, you know, (4:31) just by feeding it the CVE and then letting it loose.
So, like, this has got to cause some very (4:39) serious concerns to corporate defenders or anyone else that is kind of managing networks and trying (4:47) to track vulnerabilities and exploitation down, because by the time you read it in, (4:54) you know, in your news feed, or by the time you get the notification from your software vendor (5:01) that, you know, there’s this vulnerability in the software you’re running, it could already be (5:07) getting exploited just by the fact that it’s now not human researchers and human adversaries trying (5:14) to figure this stuff out. It’s automated attacks that are just using what’s already available (5:23) in the public space and able to exploit those vulnerabilities. So, the reason this is important, (5:29) you know, and I’ll kind of wrap it up at that, you know, we’ll give you the resources, (5:32) you can go look at it, but from a vulnerability management standpoint, (5:38) there is still this kind of reluctance to push the patches out or the updates out until they’re fully (5:47) tested or, you know, until someone can get around to it.
And generally, things are now on, like, (5:52) 30, 60, 90-day cycles. So, 30 days for criticals, 60 days for high risk vulnerabilities, and 90 days (6:02) maybe for mediums or everything else. But, so we’ve ingrained this mindset in that we have (6:10) weeks or months to solve these problems.
Well, what these researchers are finding, and it won’t (6:17) be long before the adversaries start to pick this up, is these things can be exploited the next day. (6:24) So, their first report was talking about how quickly they can exploit a vulnerability that (6:31) has been published basically yesterday, even though it might not have a patch out, (6:36) the CVE gives them enough information to exploit that vulnerability. The new report that comes out (6:43) says there’s a 53% chance that they can exploit a zero day, meaning there isn’t even a patch (6:50) that’s out there and, you know, the visibility in the public sphere is even lower.
So, (6:56) if you’re responsible for defending corporate networks, you got to rethink the way that you (7:03) are timing out your remediation processes, because that time is getting shorter and shorter and (7:11) shorter, and you’re going to have to squeeze as much efficiency out of your processes as possible (7:16) to start to map up to what’s coming down the pike here as these automated attacks, you know, (7:23) start to happen. So, that’s all I have to say about that. So, if you are interested in (7:29) artificial intelligence and how that can impact information security, we do have a more in-depth (7:36) webinar coming up soon.
The link will be down below. You can go there, register, (7:42) and we’re going to talk in-depth about how artificial intelligence is impacting (7:47) the information security or cyber security industry, and I think it’s going to be a great (7:53) conversation. I’d like to see you there, so sign up.
And with that, you know, thanks for tuning (8:00) in this time. Catch us the next time, and in the meantime, stay safe out there. Thank you.