News

How a Hacker Uses Generative AI: Report

• By David Ramel
• 07/13/2023

A recently released survey-based report provides insights into the use of generative AI by 'hackers,' but in this context, these hackers are the ethical "white hat" bug hunters, rather than malicious actors.

These hackers are not the stereotypical basement-dwelling teenagers or nation-state threat actors. Instead, they are individuals participating in the crowdsourced cybersecurity platform offered by Bugcrowd, which has just unveiled its annual "Inside the Mind of a Hacker" report for 2023.

The survey included 1,000 respondents from 85 countries, including the United States, Australia, Brazil, Canada, Ethiopia, India, France, Jordan, Singapore, and the United Kingdom.

Although the report covers a wide range of topics, including a glimpse into the profiles of professional hackers and the current state of hacking, it prominently features generative AI. Notably, Bugcrowd pointed out that its hackers, unlike some mainstream IT professionals, do not perceive advanced AI systems as a threat to their job security.

"Generative AI was a major theme in the 2023 report, with more than half of respondents (55 percent) saying that it can already outperform hackers or will be able to do so within the next five years," Bugcrowd said. "However, hackers aren't worried about being replaced, with nearly three out of four respondents (72 percent) saying that generative AI will not be able to replicate the creativity of hackers."

Some 78 percent of hacker respondents believe that AI will disrupt the way they work on penetration testing or bug bounty programs sometime in the next five years, said Bugcrowd, which noted that 40 percent of hackers reported that AI has already changed the way people hack. "Hackers are trending toward embracing AI and the many changes it will have on their day-to-day lives, but most hackers still have doubts about how far AI can actually go," the report said.

Some other AI-related data points highlighted by the company include:

• 94 percent plan to start using AI in the future to help them ethically hack
• 91 percent believe that AI technologies have increased the value of ethical hacking or will increase its value in the future
• 85 percent currently use generative AI in some aspect of their lives
• The top three use cases for using AI in security research were automating tasks, analyzing data, and identifying vulnerabilities.

In naming their chatbot of choice to help with their hacking, respondents overwhelmingly preferred OpenAI's ChatGPT over Google Bard and Bing Chat AI from Microsoft.

While Bugcrowd's report deals with white-hat bug hunters, the company presented data from the World Economic Forum that detailed the top five risks of threat actors:

• Building Better, More Sophisticated Malware: In the hands of hackers, generative AI can be used to generate hard-to-detect malware strains and execute attacks. Combined with AI models, malware could mask its intention until it fulfills its ill purpose.
• Writing AI-Powered, Personalized Phishing Emails: With the help of generative AI, phishing emails no longer have the tell-tale signs of a scam -- such as poor spelling, bad grammar, and lack of context. Plus, with AI like ChatGPT, threat actors can launch phishing attacks at unprecedented speed and scale.
• Generating Deep Fake Data: Since it can create convincing imitations of human activities -- like writing, speech, and images -- generative AI can be used in fraudulent activities such as identity theft, financial fraud, and disinformation.
• Cracking Captchas and Password Guessing: Used by sites and networks to comb out bots seeking unauthorized access, CAPTCHA can now be bypassed by hackers. By utilizing ML, they can also fulfill other repetitive tasks such as password guessing and brute-force attacks.
• Sabotaging ML in Cyber Threat Detection: If a security system is overwhelmed with too many false positives, a hacker can take it by surprise with a real cyberattack.

"Cybersecurity leaders must consider what cyber defense will look like in a world where a more diverse and numerous range of threat actors will have access to more powerful tools to create impact, as with more power comes more threats," said Bugcrowd founder and CTO Casey Ellis in the report. "One way to ensure that leaders are mounting an adequate defense is by learning from and engaging with hackers to stay ahead of the game. However, it's not all doom and gloom. I'm really excited about some of the findings in this report that indicate positive trends in the hacking community."