Because email remains the most ubiquitous form of business communication, it continues to be a favorite attack vector for cybercriminals. Email has always been vulnerable because it was not originally designed with security or privacy in mind. As a result, email security vendors emerged to protect this critical communication channel. In the early days, many vendors used signature or reputation-based detection technologies, which later evolved into sandboxing and dynamic analysis and, for a time, were very effective. Unfortunately, cybercriminals have been evolving faster than the solutions built to block them, and now the current approaches to email security are significantly less effective.
Over the last few years, cybercriminals have shifted their focus from sending “trusted” content to deceive a system to practicing identity deception to deceive a person into thinking an email message is trusted. Existing approaches focus largely on inspecting message content and assessing the reputation of the servers the message came from. Cybercriminals understand this paradigm and changed the primary vector of attack to use identity deception tactics to convince the recipient to take the requested action.
A New Day, A New Email Threat
Today’s modern email attacks inherently use identity deception to circumvent existing email defenses, such as SEGs. The key to an identity deception-based attack is impersonation, where the attacker sends a message that seems to come from a known identity—an individual, organization, or brand that is trusted by the recipient—to convince him or her to take action, such as completing a wire transfer or disclosing sensitive data. In addition, most attacks leverage evasive techniques, such as launching the attack from a reputable email service like Gmail or Outlook, leveraging pretext to increase trust and then deploying sandbox-aware malware or even no malicious content or payload at all. These attacks are multiplying and are increasing the likelihood of causing financial and reputational damage, often with C-level or even boardroom-level ramifications.
The most common form of identity deception is a Display Name Attack. Since common consumer mailbox services such as Gmail, Yahoo!, and Outlook allow a user to specify any value in the display name portion of the "FROM" header, an attacker can simply insert the identity of a trusted individual, such as the CEO, or a trusted brand, such as the bank that the recipient uses into the display name field, making this type of attack simple and cheap to stage.
In addition to a Display Name deception, attackers might also try to gain the trust of the victim by spoofing the recipient’s own domain, using a lookalike domain, or in a much more advanced and malicious scenario as an Account Takeover (ATO)-based attack, by compromising a legitimate, previously established email account and then using it to launch the targeted attack.
The Next Generation of Email Security
In response to the shortcomings of current email security solutions to combat these types of attacks, we have developed a unique approach—the Fortra Identity Graph. Instead of focusing on email content and infrastructure reputation, the Fortra Identity Graph utilizes advanced machine learning techniques to focus on people, known relationships, and predictable human behavior.
The goal of Fortra's Identity Graph is to model the email-sending behavior of all legitimate senders across the Internet and to update these behavioral models in real time. Using Internet-scale sources of email telemetry, patented scalable algorithms, and a real-time machine learning pipeline, the system develops individual, organizational and class-based behavioral models that allow it to uniquely determine the trustworthiness of legitimate emails. By modeling the good, rather than trying to detect the bad, the Fortra Identity Graph can detect both known and unknown security threats, thereby reducing risk and the likelihood that an email-based attack will be successful.
How Does the Fortra Identity Graph Work?
It employs four key phases of machine learning analysis and scoring:
Phase 1: Identity Mapping
Identity Mapping is the process of using identity markers visible to the recipient such as display name, email address, or subject lines to map the sender of the message to a previously established identity, organization, or broader classification.
Phase 2: Behavioral Analytics
Once the sender is mapped to an identity, the system applies behavior analytics against the features of the message to determine any anomalous behavior. This process accounts for, but is not limited to, behaviors such as the frequency of which messages are typically sent, whether the sender has ever interacted with the recipient or the organization before, or whether the content and structure of the message is expected by the recipient.
Phase 3: Trust Modeling
Finally, the last phase measures the likelihood that the recipient trusts the sender enough to open the message and be impacted by a malicious attack. Ultimately, the model evaluates interaction; the closer the previous observed interaction, the less tolerant the model becomes for anomalous behavior.
Phase 4: Trust Scoring
Using advanced algorithms incorporating a combination of the features and indicators from the three previous phases, the system produces a final score with a high degree of efficacy, determining whether the recipient should perceive the message as trusted or untrusted. To support this modeling, it leverages the elasticity enabled by its cloud native architecture to drive multiple model updates daily, allowing the system to maintain a real-time understanding of email behavioral patterns.
In the example of Kate Bolseth @ SashimiBank above that came from a generic "[email protected]" From address, the threat actor used a lookalike domain for Gmail (Gmaill) which would generally be missed by the naked eye. However, Fortra's Identity Graph models caught it via the identified policies listed and gave it an overall low trust score of 0.5 based on the combination of a low authenticity score, as well as the poor domain reputation of gmaill.com, as shown by the below:
The Fortra Identity Graph was developed as the core of next-generation advanced email threat protection via machine learning algorithms to detect modern, identity-based attacks. The Identity Graph leverages a variety of email telemetry sources, including TRILLIONS of email insights annually, that incorporate local context for a specific company. Organizations that are protected by the Identity Graph are well positioned to be protected against the latest attacks of today and the next evolution of attacks that we can expect to see in the future.