LLMs unlock new paths to monetizing exploits

TL;DR

Large language models are poised to revolutionize cyberattack economics by enabling tailored, scalable, and more effective exploits, necessitating new defense strategies to counter these emerging threats.

Contribution

This paper demonstrates the practical feasibility of LLM-driven cyberattacks and highlights the urgent need for novel defense mechanisms against these evolving threats.

Findings

LLMs can identify sensitive information in datasets without human help.

LLMs enable tailored ransomware attacks based on individual device content.

Potential for widespread, scalable cyberattacks increases as LLMs become cheaper.

Abstract

We argue that Large language models (LLMs) will soon alter the economics of cyberattacks. Instead of attacking the most commonly used software and monetizing exploits by targeting the lowest common denominator among victims, LLMs enable adversaries to launch tailored attacks on a user-by-user basis. On the exploitation front, instead of human attackers manually searching for one difficult-to-identify bug in a product with millions of users, LLMs can find thousands of easy-to-identify bugs in products with thousands of users. And on the monetization front, instead of generic ransomware that always performs the same attack (encrypt all your data and request payment to decrypt), an LLM-driven ransomware attack could tailor the ransom demand based on the particular content of each exploited device. We show that these two attacks (and several others) are imminently practical using state-of-the-art LLMs. For example, we show that without any human intervention, an LLM finds highly sensitive personal information in the Enron email dataset (e.g., an executive having an affair with another employee) that could be used for blackmail. While some of our attacks are still too expensive to scale widely today, the incentives to implement these attacks will only increase as LLMs get cheaper. Thus, we argue that LLMs create a need for new defense-in-depth approaches.