GenAI for Cyber Blue Team Education
Learning terminology - Attack Surface
One of the biggest benefits of using GenAI tools is that they can do things faster than we (humans) can. Not a little bit faster. More like seconds rather than minutes and minutes rather than hours faster. This can be huge help in many different ways. One of those is in training up entry level - or sometimes even mid-level - members of a cybersecurity team.
If you’ve just landed your first job in cybersecurity, just getting to grips with the people and teams you’ll work with can be half the battle for the first few weeks, months, or maybe even longer. Getting to grips with cyber terminology may also be a challenge. Attack Surface is a pretty basic term, but maybe not a term that all entry level cyber workers will have a solid understanding of. If I was a team lead looking to help a new colleague understand it, I might get a little assistance from a GenAI tool to create a good starting point overview quickly.
Today I tried that out with three GenAI apps: ChatGPT 4o, Claude 3.5 Sonnet, and the brand new Gemini Live on the Pixel 9 Pro XL. The very short story is … mission accomplished. The slightly less short story is that the responses from ChatGPT and Claude were better than Gemini Live, and even with more coaxing, Gemini Live did not provide anything I would use.
Side Note: I’ll write more about the Gemini Live experience soon - it is definitely not all bad.
Back to the Attack Surface Intro - courtesy of ChatGPT and Claude. Claude provided the simple attack surface image at the top of this post. Both ChatGPT and Claude gave very solid outlines on what an attack surface in cybersecurity is, as well as some solid guidance on how to reduce the attack surface. If I had to choose one to work with, ChatGPT would be the winner, but just by a small margin. I would more likely take a little from each of them.
Here’s my prompt to the three apps:
In cybersecurity, what is an attack surface and what are some good ways to reduce the attack surface?
For the components of an attack surface, I might start with these from ChatGPT:
Network Attack Surface: This includes vulnerabilities in the networking environment, such as open ports, services, protocols, and any accessible networked devices.
Software Attack Surface: This comprises the vulnerabilities within software applications, including code flaws, unpatched software, or misconfigurations.
Human Attack Surface: The human factor includes potential vulnerabilities due to social engineering, phishing, weak passwords, or lack of awareness among users.
Physical Attack Surface: This includes physical access to systems, such as hardware devices, servers, or workstations.
And add these from Claude:
APIs
Third-party dependencies
On the ways to reduce the attack surface both apps did well, but ChatGPT offered a more detailed response and one I could easily use in working with a new teammate:
Minimize the Services and Open Ports:
Disable unnecessary services: Only run services that are essential for the business.
Close unused ports: Limit open ports to only those needed for the required services.
Regular Patching and Updates:
Patch management: Regularly update and patch software, operating systems, and firmware to address vulnerabilities.
Automated updates: Implement automated patching where possible to ensure that all systems are up-to-date.
Implement Strong Access Controls:
Least privilege: Ensure users only have the minimum level of access necessary to perform their tasks.
Multi-factor authentication (MFA): Use MFA to add an additional layer of security beyond just passwords.
Reduce Application Attack Surface:
Application whitelisting: Only allow approved applications to run on the network.
Code review and secure development: Employ secure coding practices and perform regular code reviews to find and fix vulnerabilities.
Network Segmentation:
Isolate critical systems: Use network segmentation to isolate sensitive data and critical systems from the rest of the network.
Use VLANs and firewalls: Control traffic between network segments to reduce exposure.
Strengthen Endpoint Security:
Use Endpoint Detection and Response (EDR): Implement EDR tools to monitor and respond to threats at endpoints.
Harden devices: Remove unnecessary software, disable unneeded features, and use strong configurations.
Increase User Awareness and Training:
Security training: Regularly train users on security best practices, such as recognizing phishing attempts.
Simulated phishing attacks: Use these to test and improve employee responses to social engineering attacks.
Deploy Intrusion Detection and Prevention Systems (IDPS):
Monitor traffic: Use IDPS to monitor network traffic for signs of an attack and block it in real-time.
Anomaly detection: Employ systems that can identify unusual patterns that may indicate a breach.
Continuous Monitoring and Penetration Testing:
Regular vulnerability scans: Conduct regular scans to identify and remediate vulnerabilities in your environment.
Penetration testing: Engage in periodic penetration tests to identify and address security weaknesses.
Remove Redundant and Legacy Systems:
Decommission old systems: Ensure that legacy systems are either updated or decommissioned.
Consolidate systems: Reduce complexity by consolidating systems, which also reduces potential entry points.
The initial responses from ChatGPT and Claude were useful and usable; I did not any follow-up prompts to get something I could work with. Which leads right back to the speed factor here. The total time it took me to create my prompt for them, copy and paste it from one to the other, get the responses back from both apps, and review them, was no more than 5 minutes. Probably less than that, but I did not time it. It’s safe to say this would have taken me a lot longer without the two GenAI apps.
In case you missed them, I wrote another post on GenAI tools for cyber blue team education a few weeks ago:
And another on how I disagree with the idea that these GenAI tools are overhyped and find them super useful just a couple weeks ago:
