The Interview with Jose Borges Ferreira, Anubis CEO, on the status quo of Email Security and Ransomware, for IT Security Magazine.
This interview can also be seen here (in Portuguese).
José Borges Ferreira (JBF) is the CEO of Anubisnetworks, one of the pioneers of cybersecurity in Portugal (2009), recently separated from Bitsight Technologies, and now fully focused on Email Security.
(interviewer): Are email systems still the main vehicle for spreading ransomware?
JBF: The more ubiquitous a technology, the more it is exploited by criminals. With 3 billion emails/day circulating in the world, it's easy to see how many covert attacks are possible. And email has many of the same characteristics as physical mail: we are never sure of the sender and the content, and it comes to us without announcement and without a request. We know that more than 1% of all emails are phishing attacks, and of those, 30% actually manage to cause some kind of damage, including getting malware to be triggered. Attacks often start with fraud and social engineering, with the ultimate intent of trying to get the victim to open a file or click on a malicious link. And, by managing to inject malware into victims' networks, attackers have a good chance of obtaining information that they can use in a variety of ways, including simply holding the information captive in exchange for ransom. For the U.S, we have data that shows that there's an average of more than 4 million euros of damages for each organization breached. In Portugal, with no statistical data, we'll just need to look at the recent news to understand the impact cybercrime is having on organizations such as TAP or CM de Loures, just to mention a few of the latter.
(interviewer): Is email security unable to prevent these attacks?
JBF: The vast majority of attacks are stopped by good systems and good organizations. And it depends on technological factors but also on a human understanding of whether a message will have fraudulent characteristics. Good systems analyze the authenticity, authorization, and reputational and relational data about the origin and destination and, of course, the content of the email in its two main aspects:
- everything that indicates that it could be a fraud (for example, a logo copied from another company or suspicious sentence construction) and
- anything that points to malicious content, be it hidden code, suspicious URLs and, of course, attachments. Spambots - because these attacks, due to the scale, use previously "contaminated" victims - manage to distribute all different emails, from different sources, and very reliable.
(interviewer): How has Portugal dealt with these cybercrimes?
JBF: We suffer from the globalization of Malware-as-a-service, and Emotet, AgentTesla, and all other malware are also around here, but on the other hand, these attacks almost always have a geographical and cultural component in the of social engineering: we suffer unique attacks (eg related to our language) so comparisons at the country level are always unfair.
What has been changing in Portuguese organizations, for the better, is the notion that common security is not enough, and that they need something complementary that positively distinguishes them, leaving other organizations to be, perhaps, the path of least resistance for attackers. The paradigmatic example is Microsoft Exchange (and 365) which is used by most organizations and is also the most attacked system in the world - even recently the BlackCat ransomware exploited many organizations with this system. Now, this is an essential product, but it is likely that it will need an additional layer of security dedicated and segregated from the whole Microsoft environment, and which can also provide adequate control and visibility over all messages that try to enter and leave the organization.
We have seen a greater variety of solutions available for companies looking for quality and differentiation, and by having layered security that is appropriate for your country or industry, gives you an edge over your attackers and over other organizations.
(interviewer): But have many organizations in Portugal recently fallen victim to the Emotet Ransomware?
JBF: In our clients, we were able to prevent this attack. But yes, we admit that other organizations may have been infected: the attack was very well disguised and, in a first phase, passed through all our anti-malware systems - and we are talking about the systems with the greatest amplitude and quality in Portugal: Check Point , Bitdefender, and Sophos, among others - in fact, we only prevented the attack because we have our own technology that tries to decompress password-protected files and also analyzes the code inside documents, having seen something suspicious, even though the documents were all different. We stopped Emotet, and we will try to stop the following ransomware attacks, which are very, very sophisticated.