Organizations are more likely to be breached today than ever before, as cybercriminals shift tactics once again, using account takeovers (ATOs) to launch targeted email attacks. In fact, a recent Osterman Research survey showed that 33% of organizations were victims of an ATO-based email attack. Attackers know that trusted email is the most effective way of breaching an enterprise, as existing security controls cannot detect these attacks since they come from previously-established credible senders. Meanwhile, employees have a hard time spotting these attacks because they appear to come from trusted colleagues. As such, organizations must place a higher priority in protecting against account takeovers—or risk becoming the next victim.
In the past year, we have seen a 300% increase in the number of compromised accounts sending advanced email attacks into the organization and we see stopping this threat as a critical security control.
– CSO, Large Healthcare Organization
Agari Advanced Threat ProtectionTM prevents account takeover-based attacks from reaching employee inboxes. It also inspects email flowing within the organization for indicators that an internal email account has been compromised for unauthorized use. Once an account takeover is suspected, Agari Advanced Threat Protection prevents the spread of malicious emails from affected accounts laterally within and external to the organization.
Agari has configured the Agari Identity GraphTM to model external ATO-based behavior to prevent account takeovers originating outside the organization. The Agari Identity Graph also scans internal employee-to-employee messages to detect malicious attachments and URLs sent from compromised internal accounts.
Identity Mapping: Determines the perceived identity of the sender, mapping the sender to a previously-established sender/organization or a broader classification.
Behavioral Analytics: Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior, such as whether the sender has ever interacted with the recipient or whether the content of the message sent by the sender is expected.
Trust Modeling: The final phase determines if communication from the sender is expected by the recipient. Ultimately the system models interaction—how often the sender/recipient interact and if the responsiveness between the two is normal.
Identity Graph Scoring: The final Identity Graph Score of a message is a combination of the features and indicators of the three phases that determines whether the attack is indeed originating from a compromised account.
With the increased effectiveness of exploiting account takeovers over existing techniques, rising financial gains, and lack of organizational protections, attackers are highly motivated to increase their attack rate in the coming year. With Agari Advanced Threat Protection, organizations will have the prevention capabilities needed to stop these attacks—ensuring critical business communication continues to flow securely and uninterrupted.