ChatGPT for Incident Responders

Omar Alanezi


ChatGPT has been a game changer since its launch, providing users with powerful language processing capabilities. However, its potential goes beyond simple text generation and analysis. In this article, we will explore how ChatGPT can be leveraged and used for incident response, specifically in automating the collection of data from host systems. Automating incident response is crucial in today's fast-paced cybersecurity landscape, where time is of the essence. Without automation, incident response teams can face significant challenges and limitations in responding to threats in a timely and effective manner.
Incident Response

The IR process typically involves the following steps: preparation, identification, containment, eradication, recovery, and lessons learned. However, one of the biggest challenges that IR teams face is the manual effort required to collect data from hosts during an incident. This can be a time-consuming and difficult process, especially in environments with many endpoints. Automating the collection of data can significantly reduce the time it takes to collect the necessary information and free up IR analysts to focus on analysis and response. In this article, we will explore how ChatGPT can be used to automate the collection of data during an incident response engagement.

The breakdown of the IR process into steps is crucial for any effective IR engagement. The following steps are generally followed in the IR process:

1.Preparation: This step involves establishing a comprehensive IR plan, communication plan, and defining roles and responsibilities.

2.Identification: This step focuses on detecting and identifying security incidents and differentiating between a "Security Event" and an "Incident."

2.1.Scoping: This step is critical to identify the extent of the attacker's presence in the network and the level of compromise. It involves scoping the network to discover any new compromised systems, extract new IOCs, and repeat as necessary.

3.Containment: This step involves isolating the affected systems and preventing the incident from spreading throughout the network.

4.Eradication: This step involves removing the cause of the incident and restoring systems to their normal state.

5.Recovery: This step involves bringing affected systems back online and closely monitoring them to prevent any additional attacks.

Lessons Learned: The final step is to evaluate and learn from the incident to enhance and improve the IR process.
Note: After identifying and declaring an incident, the incident response process should enter a mini-scoping cycle. The purpose of this cycle is to identify the scope of the attacker and to discover any new compromised systems within the network. This mini-loop continues until the incident response team believes that they have fully scoped the incident and are ready to move on to the eradication/remediation phase. This step is critical because it allows the IR team to fully understand the extent of the compromise and to prevent any further damage or spread of the incident.

Automating IR

As an incident responder, you often have to start collecting data from scratch to investigate a security incident properly. This data could include hostnames, IP addresses, hashes, file names, and paths, as well as detection rules writing like YARA, Sigma, and Snort. To identify and scope the incident, you would also need to gather system information, process execution data, network activities, PowerShell activities, WMI events, registry data, scheduled tasks, RDP connections, DNS cache, file access, and more depending on the nature of the incident. However, ChatGPT can make this process much more manageable. By simply instructing ChatGPT, you can write and execute scripts on remote machines to gather the necessary data for effective incident response.

In this section, we will focus on scoping and the core functionality of our incident response automation with ChatGPT. Our target platform for this demonstration is Windows 10 and Windows Servers. The core functionality of our automation is to collect system artifacts and security events for analysis, and we will be using PowerShell and WMI as our technology stack. However, to use PowerShell, you must have administrator rights and PowerShell Remoting enabled. It's essential to note that while PowerShell and PowerShell remoting can be used to perform great tasks, attackers can also use them for malicious purposes. For this demonstration, we conducted our test in a lab environment. But, enabling PowerShell logging and PowerShell Script Block Logging can provide visibility over the PowerShell activity.

For more information on PowerShell remoting and the technology behind it, please visit the Microsoft website on Security Considerations for PowerShell Remoting using WinRM:

let's get started with the practical part of automating incident response with ChatGPT:
The script is written to gather system information such as the computer's name, processor, memory, and other data. ChatGPT automatically generated the script and saved the results in a text file of our choosing. Let's verify the accuracy of the results, given that we are using an artificial intelligence model.
Fantastic! ChatGPT has given us a valid PowerShell script that worked without any issues.

Let's explore further by collecting details about the installed software, running processes with their arguments, and also network connections and settings.
Let's now attempt to run the script on a different computer using PowerShell Remoting.

Invoke-Command -ComputerName {Your_Target_HostName1} -FilePath .\ChatGPTScript1.ps1 > OmarResults.txt
Excellent! We have successfully executed the script on a remote machine and saved the results to an output file. ChatGPT is a powerful tool and there are many other artifacts that can be collected during an incident response engagement. Here is a list of some additional artifacts that may be useful: user activity, user account management, system configuration, scheduled tasks, Windows service activity, PowerShell activity, process execution, image load, network activity, process access, authentication events, DLL injection, and COM object activity.

Detection Engineering

you can automate tedious tasks in cybersecurity such as creating YARA rules, hunting for newly exploited vulnerabilities, and analyzing executable outputs. You can fine-tune ChatGPT results to fit your needs. Let's try out some examples:

1-create a YARA rule to detect Indicators of Compromise (IOCs).

2-Ask ChatGPT about CVEs.

3-Conduct live analysis.

1-Create a YARA rule to detect Indicators of Compromise (IOCs):
Of course, you can ask ChatGPT to change the conditions based on your input. You can also build complex conditions with it. But for this demonstration, we will keep it simple with the OR logical operator.

2-Get information about CVE:

ChatGPT can be very helpful in understanding CVEs and the technical details surrounding them. Whether you need a technical explanation or a simpler explanation, ChatGPT can provide it. It's a great tool for digging deeper into vulnerabilities and understanding them more thoroughly.
3-Conduct live analysis.

Using ChatGPT, you can perform live analysis from a single central management console, namely PowerShell. With its capabilities, it can provide the necessary code and perform the following actions:

A. Download a specific executable, such as autorun.exe from Microsoft Sysinternal team, onto a target remote machine.

B. Execute the downloaded executable on the remote machine.

C. Review the output generated and analyze it for specific strings or lines, such as LaunchString.

D. Pass the output to ChatGPT API for further analysis to determine if it is malicious or not.

In conclusion, while ChatGPT may not be sufficient or effective in a production environment when it comes to responding to incidents and hunting for suspicious activities, it can still be highly valuable for automating tedious tasks and opening up new possibilities for future use. With ChatGPT, the possibilities are endless, and it can help in automating data collection, writing detection rules, minimizing response time, limiting impact of any incidents, and improving your incident response KPIs. With ChatGPT, remember, it's important to construct your questions carefully to get the desired output, as the saying goes, asking the right question is half the answer.

Keep an eye out for Part 2.

Share this blog
Follow us
Advance your skills by reading the latest blog created by our team.
Other Blogs