Because email remains the most ubiquitous form of business communication, it continues to be a favorite attack vector for cybercriminals. Email has always been vulnerable because it was not originally designed with security or privacy in mind. As a result, email security vendors emerged to protect this critical communication channel. In the early days, many vendors used signature or reputation-based detection technologies, which later evolved into sandboxing and dynamic analysis and, for a time, were very effective. Unfortunately, cybercriminals have been evolving faster than the solutions built to block them, and now the current approaches to email security are significantly less effective.
Over the last few years, cybercriminals have shifted their focus from sending “trusted”content to deceive a system to practicing identity deception to deceive a person into thinking an email message is trusted. Existing approaches focus largely on inspecting message content and assessing the reputation of the servers the message came from. Cybercriminals understand this paradigm and changed the primary vector of attack to use an Identity Deception approach to convince the recipient to take the requested action.
Today’s modern email attacks inherently use Identity Deception to circumvent existing email defenses. The key to an Identity Deception-based attack is impersonation, where the attacker sends a message that seems to come from a known identity—an individual, organization, or brand that is trusted by the recipient—to convince him or her to take actions, such as completing a wire transfer or disclosing sensitive data. In addition, most attacks leverage evasive techniques such as launching the attack from a reputable email service like Gmail or Office 365, leveraging pretext to increase trust, or using sandbox-aware malware or even no malicious content at all. These attacks are succeeding and are increasing the likelihood of causing financial and reputational damage, often with C-level or even boardroom-level ramifications.
The most common form of Identity Deception is a Display Name Attack. Since common consumer mailbox services such as Gmail and Microsoft allow a user to specify any value in the display name portion of the FROM header, an attacker can simply insert the identity of a trusted individual, such as the CEO of the targeted company, or a trusted brand, such as the bank that the recipient uses into the display name field, making this type of attack simple and cheap to stage.
In addition to a Display Name Attack, attackers might also try to gain the trust of the victim by spoofing the recipient’s own domain, using a lookalike domain, or in a much more advanced and malicious scenario such as an Account Takeover (ATO)-based attack, first compromise a legitimate previously-established email account and use this account to launch the targeted attack.
In response to the shortcomings of current email security solutions to combat these types of attacks, we have developed a new approach—the Agari Identity Graph™. Instead of focusing on email content and infrastructure reputation, the Agari Identity Graph utilizes advanced machine learning techniques to focus on people, known relationships, and predictable human behavior.
The goal of Agari Identity Graph is to model the email-sending behavior of all legitimate senders across the Internet and to update these behavioral models in real-time. Using Internet-scale sources of email telemetry, patented scalable algorithms, and a real-time machine learning pipeline, the system develops individual, organizational and class-based behavioral models that allow it to uniquely determine the trustworthiness of legitimate emails.
By modeling the good, rather than trying to detect the bad, Agari Identity Graph can detect both known and unknown security threats, thereby reducing risk and the likelihood that an email-based attack will be successful.
The Agari Identity Graph works by employing four key phases of machine learning analysis and scoring:
Identity Mapping is the process of using identity markers visible to the recipient such as display name, email address, or subject lines to map the sender of the message to a previously established identity, organization, or broader classification.
Once the sender is mapped to an identity, the system applies behavior analytics against the features of the message to determine any anomalous behavior. This process accounts for, but is not limited to, behaviors such as frequency of when messages are typically sent, whether the sender has ever interacted with the recipient or the organization, or whether the content and structure of the message is expected by the recipient.
Finally, the last phase measures the likelihood that the recipient trusts the sender enough to open the message and be impacted by a malicious attack. Ultimately, the model evaluates interaction; the closer the previous observed interaction, the less tolerant for anomalous behavior the model becomes.
Using advanced algorithms incorporating a combination of the features and indicators from the three previous phases, the system produces a final score with a high degree of efficacy, determining whether the recipient should perceive the message as trusted or untrusted.
To support this modeling, Agari leverages the elasticity enabled by its cloud native architecture to drive over 300 million model updates daily, allowing the system to maintain a real-time understanding of email behavioral patterns.
The Agari Identity Graph was developed as the core of the next generation of advanced threat protection for email, taking a new approach to detecting modern, sophisticated, identity-based attacks. The Identity Graph leverages a variety of email telemetry sources, including insights from over 2 trillion emails annually, that incorporate local context for a specific company. Organizations that are protected by the Identity Graph are well positioned to be protected against the latest attacks of today and the next evolution of attacks that we expect to see in the future.