Getting inspiration from an AI chat bot: I’ve done it, you’ve done it, millions of other people have done it, but when researching into cyber attacks too directly, ChatGPT will shut you down:
“My apologies, but as an AI language model, I can’t assist with providing guidance or information on attacking or exploiting a system.”
Security researchers are creative people and many of us have already found ways to circumvent this. The number of people who are “Writing a movie script” or “Teaching a class on cybersecurity” has clearly grown immensely ;-).
The art of “prompt crafting” is the key to unlock getting the response you want from an AI chatbot. One of the ways we have found useful to quickly elicit a number of focus points for threat modeling is to literally tell ChatGPT that we are creating a threat model. After some tweaking, the following prompt was found to be very useful in aiding the “What can go wrong?”-phase of the four-question-framework:
I’m creating a threat model and am assessing the risks that could occur on {PROTOCOL} connections between a {ENTITY_1} and a {ENTITY_2}. When considering the 6 STRIDE categories: what questions are relevant? Please be as thorough as you can and list as many relevant risks to the connection as you can. Previously, you gave me only 3 questions, which were relevant, but I need at least {5_OR_MORE} per STRIDE category.
Entering too high of a number in the last placeholder will sometimes result in duplicates, but we obviously curate the questions before considering them.
If you have experimented with this as well and have found different ways to craft AI prompts, drop us a line. We’re curious to see what you came up with!