Email Security Blog

The Agari Identity Graph: A New Way to Combat Phishing and Business Email Compromise

Ramon Peypoch December 30, 2018 Email Security

Because email remains the most ubiquitous form of business communication, it continues to be a favorite attack vector for cybercriminals. Email has always been vulnerable because it was not originally designed with security or privacy in mind. As a result, email security vendors emerged to protect this critical communication channel. In the early days, many vendors used signature or reputation-based detection technologies, which later evolved into sandboxing and dynamic analysis and, for a time, were very effective. Unfortunately, cybercriminals have been evolving faster than the solutions built to block them, and now the current approaches to email security are significantly less effective.

Over the last few years, cybercriminals have shifted their focus from sending “trusted”content to deceive a system to practicing identity deception to deceive a person into thinking an email message is trusted. Existing approaches focus largely on inspecting message content and assessing the reputation of the servers the message came from. Cybercriminals understand this paradigm and changed the primary vector of attack to use an Identity Deception approach to convince the recipient to take the requested action.

 identity impersonation

A New Day, A New Email Threat

Today’s modern email attacks inherently use Identity Deception to circumvent existing email defenses. The key to an Identity Deception-based attack is impersonation, where the attacker sends a message that seems to come from a known identity—an individual, organization, or brand that is trusted by the recipient—to convince him or her to take actions, such as completing a wire transfer or disclosing sensitive data. In addition, most attacks leverage evasive techniques such as launching the attack from a reputable email service like Gmail or Office 365, leveraging pretext to increase trust, or using sandbox-aware malware or even no malicious content at all. These attacks are succeeding and are increasing the likelihood of causing financial and reputational damage, often with C-level or even boardroom-level ramifications.

The most common form of Identity Deception is a Display Name Attack. Since common consumer mailbox services such as Gmail and Microsoft allow a user to specify any value in the display name portion of the FROM header, an attacker can simply insert the identity of a trusted individual, such as the CEO of the targeted company, or a trusted brand, such as the bank that the recipient uses into the display name field, making this type of attack simple and cheap to stage.

In addition to a Display Name Attack, attackers might also try to gain the trust of the victim by spoofing the recipient’s own domain, using a lookalike domain, or in a much more advanced and malicious scenario such as an Account Takeover (ATO)-based attack, first compromise a legitimate previously-established email account and use this account to launch the targeted attack.

The Next Generation of Email Security

In response to the shortcomings of current email security solutions to combat these types of attacks, we have developed a unique approach—the Agari Identity Graph™. Instead of focusing on email content and infrastructure reputation, the Agari Identity Graph utilizes advanced machine learning techniques to focus on people, known relationships, and predictable human behavior.

The goal of Agari Identity Graph is to model the email-sending behavior of all legitimate senders across the Internet and to update these behavioral models in real-time. Using Internet-scale sources of email telemetry, patented scalable algorithms, and a real-time machine learning pipeline, the system develops individual, organizational and class-based behavioral models that allow it to uniquely determine the trustworthiness of legitimate emails.

By modeling the good, rather than trying to detect the bad, Agari Identity Graph can detect both known and unknown security threats, thereby reducing risk and the likelihood that an email-based attack will be successful.

identity mapping

How Does the Agari Identity Graph Work?

The Agari Identity Graph works by employing four key phases of machine learning analysis and scoring:

Phase 1: Identity Mapping

Identity Mapping is the process of using identity markers visible to the recipient such as display name, email address, or subject lines to map the sender of the message to a previously established identity, organization, or broader classification.

Phase 2: Behavioral Analytics

Once the sender is mapped to an identity, the system applies behavior analytics against the features of the message to determine any anomalous behavior. This process accounts for, but is not limited to, behaviors such as frequency of when messages are typically sent, whether the sender has ever interacted with the recipient or the organization, or whether the content and structure of the message is expected by the recipient.

Phase 3: Trust Modeling

Finally, the last phase measures the likelihood that the recipient trusts the sender enough to open the message and be impacted by a malicious attack. Ultimately, the model evaluates interaction; the closer the previous observed interaction, the less tolerant for anomalous behavior the model becomes.

Phase 4: Identity Graph Scoring

Using advanced algorithms incorporating a combination of the features and indicators from the three previous phases, the system produces a final score with a high degree of efficacy, determining whether the recipient should perceive the message as trusted or untrusted.

To support this modeling, Agari leverages the elasticity enabled by its cloud native architecture to drive over 300 million model updates daily, allowing the system to maintain a real-time understanding of email behavioral patterns.

The Agari Identity Graph was developed as the core of the next generation of advanced threat protection for email, taking a new approach to detecting modern, sophisticated, identity-based attacks. The Identity Graph leverages a variety of email telemetry sources, including insights from over 2 trillion emails annually, that incorporate local context for a specific company. Organizations that are protected by the Identity Graph are well positioned to be protected against the latest attacks of today and the next evolution of attacks that we expect to see in the future.

identity graph scoring

Agari Blog Image

May 18, 2022 Ramon Peypoch

What Is Email Spoofing and How Do You Protect Against It?

What is Email Spoofing? Email spoofing is one of the most common forms of cybercriminal…

Computer Showing Secure Email Server

March 9, 2022 John Wilson

Securing Your Email with DMARC

Understanding the What, How, and Why of DMARC You probably already know this, but it…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

mobile image