top of page
  • Writer's pictureTracy Camp
    • Apr 27
    • 4 min read

UpSight 2.0 - Fight AI, with AI

We are making a classic startup pivot. So, let's call this 'UpSight 2.0'.


GPT-4 is a big deal. I say that as somebody that didn't think blockchain, VR or web3 in general was something to get that excited about. Time will tell if GPT-4 is a big deal for good or not. But we here at UpSight see something that we know it will be bad for right now:


Phishing. On. Steroids.


There is a lot of buzz around using AI to generate 'deep fakes'. What I think has been lost is the less visually glamourous world of deep-fake plain text. Using information already available from your public, or possibly private interactions (such as this very blog post) it is possible to specialize models like GPT-4 to essentially speak in your voice and in context with the relationship between you and the recipient.


For instance, you get a message from your boss on your team slack channel telling you all to quickly complete some HR required security training by clicking on some <url> by 4pm today. You might groan, but you'll do it. It sounded like something your boss would say to you, and in the manner, they would say it. You are probably going to do it.... even if the URL turns out to be the initial step in a phishing attack, and the message was entirely generated by GPT-4 and posted using a stolen slack token.


Cyber-attacks are always a question of cost.


The name of the game for attackers is to gain as much money from looting victims at as low of a cost as possible. Conversely the name of the game for defenders is to make your customers more expensive to attack that somebody else's customers.


Language models like GPT4 really shift the economics of conducting a Phishing attack radically in the attacker's favor. We did a little 3-minute experiment ourselves asking ChatGPT to create an email in the voice of a famous guy named 'Elon' (who's voice is essentially already trained into the model due to being a particularly public figure) asking his employees to install an application from a somewhat dodgy sounding website. It nailed it. We then asked ChatGPT to generate the dodgy looking website copying the details from a legitimate site. It happily complied. These sort of 'customer interaction' and coding automation scenarios are precisely what we are being sold GPT-4 is good for!


Seriously less than 3 minutes of my effort and a few pennies to OpenAI. ChatGPT is a bit sandboxed (right now) so it can't register domain names, stand up web sites, get anonymous SSL certificates issued... but that is irrelevant! there are existing automation frameworks to do all of that.


I'm sorry to say you are going to start getting a lot more spam in your inbox as email filters fail to sort fake from real.


What do we do if Phishing just doesn't sound fishy anymore?


User training and email filtering can help, but...


The coming onslaught of AI assisted attacks fundamentally requires a new defensive strategy.

Not to mention the obvious fact that phishing isn't just for email... we communicate with each other at home and at work through so many different channels. Email filtering doesn't stop an attacker that is reaching out on LinkedIn, or Slack, or via poisoned Google ad search results, etc. Phishing is a high volume, low cost, AI-assisted multi-channel attack.


Not to worry - UpSight is on it. The one thing that an attacker cannot easily change is their tactics after the initial phishing attack. UpSight shifts the cost of attack back to being in favor of the defender.


Detect, Prevent and Evict in Real-Time


Our strategy is based on assuming that an AI assisted attacker is going to get past your email, anti-virus and user training defenses pretty frequently. UpSight quickly detects the first steps that an attacker takes, prevents further steps and then evicts the attacker from your computer - in real-time as the events are happening.


According to a recent IBM report, attackers cost $4.3 Million on average per incident in 2022. That is a LOT of money if you are running a small/medium business or insuring one. By detecting very early indications of an attack we are able to prevent the downstream impacts of ransomware, credential theft and data extortion.


Since AI automation means that an attacker can attack with frequency, the mean time between successful phishing attacks is also going to go down. So, we further focus on automated eviction of the attacker. This is important because business downtime due to dealing with phishing attacks is also costly.


And finally, we can detect, prevent and evict in real-time with confidence. While you probably still want to know that a Phishing attack happened and that we took care of it, you don't want to be flooded by a bunch of false positive alert paranoia either. Alert fatigue is a failure mode of most existing security strategies as much as anything else.


UpSight 2.0 - Fight AI, with AI


UpSight is entirely focused on shifting the economics of AI assisted attackers in order to help small/medium businesses survive the AI onslaught with our own Patent Pending Threat Graph AI technology. We'll have another blog post detailing how this technology works in the near future.


We are going to keep the existing UpSight Security for gamers and other home users around for the foreseeable future. It will continue to prevent your account tokens from being stolen like the champ that it is, and we may make the occasional update to it.


You will see our website changing, the existing client will be renamed 'UpSight Security Standalone' and a new cloud managed UpSight Security focused on the needs of business to combat AI assisted attackers will be introduced.


P.S.

... and for those curious... No, I did not have ChatGPT write this. But how could you tell?

55 views0 comments

Recent Posts

See All

We had the opportunity to present UpSight Security at the WestSide Pitch here in Oregon last Thursday. It was a lot of fun and we walked away with a large novelty check - so even better! Many thanks

bottom of page