News

Inside the Mind of a 'Hacker': How They Use Generative AI

• By David Ramel
• 07/13/2023

A new survey-based report sheds light on how "hackers" use generative AI, though in this case those hackers are bug hunters wearing white, not black, hats.

Rather than basement-bound teens or nation-state threat actors, hackers in this new report are those participating in the crowdsourced cybersecurity platform from Bugcrowd, which yesterday published its annual "Inside the Mind of a Hacker" report for 2023.

Although the report delves into a wide range of topics -- including a peek at what professional hackers look like and the state of hacking -- generative AI was featured prominently, just like it is in most tech initiatives these days. Unlike some mainstream IT pros, however, Bugcrowd noted that its hackers don't fear advanced AI constructs coming for their jobs.

"Generative AI was a major theme in the 2023 report, with more than half of respondents (55 percent) saying that it can already outperform hackers or will be able to do so within the next five years," Bugcrowd said. "However, hackers aren't worried about being replaced, with nearly three out of four respondents (72 percent) saying that generative AI will not be able to replicate the creativity of hackers."

Some 78 percent of hacker respondents believe that AI will disrupt the way they work on penetration testing or bug bounty programs sometime in the next five years, said Bugcrowd, which noted that 40 percent of hackers reported that AI has already changed the way people hack. "Hackers are trending toward embracing AI and the many changes it will have on their day-to-day lives, but most hackers still have doubts about how far AI can actually go," the report said.

Some other AI-related data points highlighted by the company include:

• 94 percent plan to start using AI in the future to help them ethically hack
• 91 percent believe that AI technologies have increased the value of ethical hacking or will increase its value in the future
• 85 percent currently use generative AI in some aspect of their lives

The top three use cases for using AI in security research were automating tasks, analyzing data and identifying vulnerabilities.

In naming their chatbot of choice to help with their hacking, respondents overwhelmingly preferred OpenAI's ChatGPT over Google Bard and Bing Chat AI from Microsoft.

While Bugcrowd's report deals with white-hat bug hunters, the company presented data from the World Economic Forum that detailed the top five risks of threat actors:

• Building Better, More Sophisticated Malware: In the hands of hackers, generative AI can be used to generate hard-to-detect malware strains and execute attacks. Combined with AI models, malware could mask its intention until it fulfills its ill purpose.
• Writing AI-Powered, Personalized Phishing Emails: With the help of generative AI, phishing emails no longer have the tell-tale signs of a scam -- such as poor spelling, bad grammar, and lack of context. Plus, with AI like ChatGPT, threat actors can launch phishing attacks at unprecedented speed and scale.
• Generating Deep Fake Data: Since it can create convincing imitations of human activities -- like writing, speech, and images -- generative AI can be used in fraudulent activities such as identity theft, financial fraud, and disinformation.
• Cracking Captchas and Password Guessing: Used by sites and networks to comb out bots seeking unauthorized access, CAPTCHA can now be bypassed by hackers. By utilizing ML, they can also fulfill other repetitive tasks such as password guessing and brute-force attacks.
• Sabotaging ML in Cyber Threat Detection: If a security system is overwhelmed with too many false positives, a hacker can take it by surprise with a real cyberattack.

"Cybersecurity leaders must consider what cyber defense will look like in a world where a more diverse and numerous range of threat actors will have access to more powerful tools to create impact, as with more power comes more threats," said Bugcrowd founder and CTO Casey Ellis in the report. "One way to ensure that leaders are mounting an adequate defense is by learning from and engaging with hackers to stay ahead of the game. However, it's not all doom and gloom. I'm really excited about some of the findings in this report that indicate positive trends in the hacking community."

The survey included 1,000 respondents from 85 countries, including the United States, Australia, Brazil, Canada, Ethiopia, India, France, Jordan, Singapore and the United Kingdom.