🛠 Security Tool Cheatsheet
Alex Morgan — Senior Penetration Tester
Why AI Changes the Game for Threat Hunting
Threat hunting has become a critical component of cybersecurity, allowing organizations to proactively search for threats rather than waiting for alerts. AI tools can enhance this process by rapidly analyzing large volumes of data, identifying patterns, and providing actionable insights. This cheatsheet outlines how to effectively leverage AI tools like ChatGPT and Claude for maximizing threat hunting efficiency.
Before You Start: How to Set Context Properly
When using AI for threat hunting, setting the context is key. This involves providing relevant information and framing your request clearly. Use specific details about your environment, indicators of compromise (IOCs), and types of threats you are investigating. The clearer your query, the better the AI’s response will be.
Core Prompts Cheatsheet
What it does: This prompt directs the AI to examine a specific event log for signs of malicious behavior.
When to use it: Use this when you have a specific log file and want to identify anomalies.
How to customize: Paste in any log format, such as Windows Event Logs or Syslog entries.
What it does: The AI will analyze the provided network data and generate potential threat scenarios.
When to use it: Use this when investigating unusual network behavior.
How to customize: Include any specific traffic patterns or protocols.
What it does: This prompt seeks to gather recent intelligence on ransomware trends.
When to use it: Use this prompt to update your knowledge on ransomware threats and defenses.
How to customize: Specify additional facets like attack vectors or impacted industries.
What it does: Provides IOCs based on descriptions of a malware sample.
When to use it: Use this when gathering indicators from known malware.
How to customize: Include details like file hashes, behavior, or known exploit methods.
What it does: Requests a compilation of best practices for a threat-hunting initiative.
When to use it: This is beneficial when planning a new threat-hunting program.
How to customize: You can specify the aspect of hunting you wish to focus on, such as tools or methodologies.
Weak vs Strong Prompt Examples
Advanced Prompt Techniques
Utilize advanced techniques to refine your prompting:
- Role Prompting: Begin your prompts by specifying the role you want the AI to assume, like “Act as a cybersecurity analyst…”.
- Chain-of-Thought: Encourage detailed reasoning by asking the AI to break down its thought process.
- Few-Shot Examples: Provide examples in the prompt to guide the type of response you expect.
- Output Formatting: Request output formats explicitly, such as lists or tables.
Claude vs ChatGPT: Which Works Better For This
While both Claude and ChatGPT are capable AI models, their effectiveness can vary by task:
- Claude: Often excels in contextual comprehension and nuanced responses, making it ideal for intricate threat analysis.
- ChatGPT: Provides fast responses and works well for structured tasks like reporting and summarization.
Ultimately, the choice may depend on your preference for detail versus speed.
Tips for Getting Consistent Results
To ensure AI tools deliver consistent and useful results:
- Set clear context: Be specific about what kind of cybersecurity aspects you want to explore.
- Iterate and refine: Don’t hesitate to adjust your prompts based on earlier outputs to hone in on the information you seek.
- Share insights: If you find an effective prompt, share it with your team to build a repository of useful prompts.
Quick Reference: All Prompts in One Place
- Analyze the following event log for any suspicious activity: [PASTE_EVENT_LOG]
- Generate a hypothesis on potential threats based on the following network traffic data: [PASTE_NETWORK_DATA]
- What are the latest trends in ransomware attacks and how can we protect against them?
- Identify potential IOCs from this malware sample description: [PASTE_MALWARE_DESCRIPTION]
- List the best practices for conducting a threat hunting assessment.