Filipi Pires is a Security Researcher. He is also an active advocate of Hacking is NOT a Crime and a Red Team Village contributor. Filipi is also a part of the staff team of DEFCON Group São Paulo-Brazil, and contributor and reviewer at Hakin9 Magazine. Besides this he has served as professor at Brazilian colleges as FIAP, Mackenzie, UNIBTA and UNICIV.
He is the creator and instructor of the Course Malware Attack Types with Kill Chain Methodology (PentestMagazine) and Malware Analysis – Fundamentals (HackerSec Company).
He can be often found speaking at different security events and throughout the years have spoken at events in the US, Germany, Poland, Hungary, Czech Republic, Brazil and many other countries.
Let’s start the interview.
Question: Hello Filipi. I really appreciate you taking your time out for our today’s discussion on everything regarding cybersecurity. I hope you are as excited as me about this interview. Please tell our readers a bit about yourself regarding your interest and how you came to be a part of this revolutionizing sector that we call, Cybersecurity.
Filipi: First of all, it’s a pleasure to be giving you this interview, you can always count on me, So, my name is Filipi Pires, I’m from Brazil, and let’s see 😊..I started my career in cybersecurity in 2015 when I started to work at Trend Micro as a System Engineer. At that moment I had an opportunity to see how big the cybersecurity world was and how awesome it is to help the people and provide a secure world for the exchange of digital information. Btw, that is the culture from Trend Micro, but it’s real!
Question: I was just reading this piece on ZDNet on the frequent cyber threats that Brazilian businesses are currently facing. The article emphasized that it is the lack of cybersecurity teams in the corporate sector that becomes the basis of digital attacks. How much do you agree with it?
Filipi: Actually, it is not the lack of a security team in these companies. I understand it’s the lack of culture and well-implemented concepts. There’s no investment on the part of the Board team and understanding of how critical the data is and how big is the impact of an exploration. Unfortunately, cybersecurity is still only based on cost, and another point is if you think about the OWASP top 10, we can find a misconfiguration in the top 10. So we still have a big challenge, not only in Brazil, but I really believe that these big challenges are everywhere, I mean, in many countries.
Question: Can you elaborate on the most common types of threats that Brazilian companies usually face?
Filipi: In Brazil there are many types of threats. Many Brazilian companies still suffer a lot from ransomware attacks as anywhere in the world. However, in Brazil there is a type of “exclusive” attack that is related to the fake payment using a kind of “slip from banks,” because this is a payment method used only in Brazil. In addition of course, there is data leakage of many companies in government companies.
Question: When it comes to forming a cybersecurity team, what would be the most important advice you may give to an SME?
Filipi: Well, I believe that hard skill, I mean, technical skill can be trained, software is a little more complicated to train, of course it’s possible, but soft skill comes from the inside 🙂
In Brazil we have an expression that I will try to translate for you that says: “I’d rather hold crazy people than push dumb/lazy people!” I know that a translation does not convey the essence of this explanation, but I want to say that my main recommendation is to invest in people who really want to learn, and who have passion for knowledge.
If you want to think in hard skill, of course, it depends on the cybersecurity area, but I could suggest some such as:
REV, Exploit Development, Vulnerability Research, Operation systems, Computer Forensic, Offensive Security, Hardware Hacking, Open Source, Program Language, Develops, Windows/Linux Internals, Operating Systems, Data Science and so on.
Question: What’s your take on Brazil’s privacy law, LGPD?
Filipi: Good question! Another big challenge for the country, implementing laws has always been and will be a challenge, I believe it will be successful when the fines arrive, unfortunately, but still, the sad news is that in Brazil, there is an expression, the “Brazilian way”, so many are still going to use that excuse to bypass the laws.
But I know that it has many good people working a lot in the LGPD, but it is still a big challenge.
Question: If I am correct, you live by the motto, “hacking is not a crime.” Do you mean ethical hacking here?
Filipi: It’s not just a motto 😊
There is a fantastic project called “hacking is not crime” in which I’m one of the advocates. Hacking is NOT a Crime is a non-profit organization advocating global policy reform to recognize and safeguard hacker rights. We seek to raise awareness about the pejorative use of the terms “hacker” and “hacking” throughout the media and popular culture. Specifically, the negative stereotype with which the terms are so often associated. Hackers are often vilified and portrayed as unethical individuals with malicious intent.
Contrary to this misperception, being a hacker is a lifestyle and mindset, an identity. It is not a fashion statement or a movie character. A hacker is simply an ethical, curious, outside-the-box thinker who creates unorthodox solutions to complex problems. The actions and methods by which these problems are solved is called “hacking.” A criminal engages in unethical activities with malicious intent. Hackers do not.
More information is here: https://www.hackingisnotacrime.org/
Question: You are currently working at Zup Innovation, right? Would you mind sharing a bit about your critical role here as a Security Researcher & Principal Security Engineer?
Filipi: Actually, I no longer work at ZUP. I believe that by August I can talk about the new projects that are coming up, but it’s a secret for now 😊😊😊. However, they’re linked to the role of Security Researcher and Principal Security Engineer..
Working with Security Research (IMHO) you need to be creative in how you look at certain software, hardware, and more, applying the hacking concept, and as a Principal Security Engineer, you really need to be the technical reference, but the question is, how is it possible, only having passion for knowledge and learning?
Question: You seem to be more involved in studying and researching malware, and you also did an in-depth analysis on PDF vulnerabilities. Well, malware comes in many forms and through many mediums. What made you conduct your analysis specifically on PDFs?
Filipi: Yes, perfect, I really like to study about the Malware in PDFs, first of all, we need to understand how the structures works, and how the attackers use the structures to put malicious code inside of the PDF. One recommendation is to read the Didier Steves blog, a pretty cool reference in Malware Analysis and Researches: https://blog.didierstevens.com/
Question: Since the world has still not come out of the pandemic and many of us are still working from home, what security suggestions would you want to give our readers?
Filipi: Working from home has its advantages, but when we talk about the cybercrime scenario, it becomes a little more complex, especially for those who do not work with cybersecurity.
Our enemy is totally invisible, we fight against a kind of attacker that is usually a step ahead.
We often do not know how these malicious artifacts are created, where they come from, what kind of vaccine would be important to contain this type of pest.
Nowadays, when we receive an email, we should look for who the sender of that message is. When we are looking at the domain of the “person” who sent this email to us, we can check if it’s a potentially malicious email.
We should look at the type of extension that is attached to the email, if it is an executable, binary, Word Doc, PDF, among others, and we need to be careful when opening all types of files.
We have come to see that attackers have used many messages by SMS to also collect information from their victims.
Thank you very much Filipi for the interview. Our readers will definitely love this interview. As for our readers, you can follow Filipi through his Twitter where he often tweets @FilipiPires or follow him on Linkedin https://www.linkedin.com/in/filipipires or his site https://filipipires.com/.