Can you trust your inbox? Can your employees? Attackers have moved beyond sending malicious payloads to impersonating trusted senders in ways that are hard for even security-conscious people to detect—and easy for legacy email security tools to miss. These new attacks can steal funds and account credentials while also eroding trust in your organization.

Download this white paper to learn how Agari Identity Graph™ stops these social-engineering email attacks with:

  • Identity Mapping that examines identity markers and maps them to your company’s organizational identity;
  • Behavioral Analytics that uses multiple models to evaluate the expected email behavior of your employee, partner, and customer identities; and
  • Trust Modeling that clarifies the relationship between sending identities and recipients to secure your organization’s email channel.

Executive Summary

While new business communication and collaboration tools emerge every day, email remains the most popular method of intra- and inter-company communication. However, the ubiquity of email, along with well-known limitations in its technology underpinnings, make it a leading attack vector for cybercriminals.

Traditional approaches to corporate email security focus largely on inspecting message content and assessing the reputation of a message’s infrastructure of origin. These techniques have become ineffective in recent years as attacks have grown more targeted in nature and increasingly blend in with legitimate email traffic delivered from trusted, mainstream email platforms.

In addition to their effectiveness at circumventing first-generation email defenses, email attacks that explicitly target senior executives or IT administrators have a much greater likelihood of causing financial and reputational damage with C-Suite or even boardroom-level ramifications.

Criminals have evolved the techniques they use for email-based attacks from content deception to identity deception. They use the identity markers of trusted individuals and brands to convince victims to take actions such as wiring money or disclosing sensitive information. The current generation of email security solutions is not able to detect these attacks, resulting in a significant rise in financial and data loss over the last few years.

The best way to protect your organization from the latest generation of targeted email attacks is to deploy a protection model that focuses less on just email content and infrastructure reputation and more on people, relationships, and predictable human and system behavior

The Agari Identity Graph™ achieves this by combining Internet-scale data telemetry with advanced artificial intelligence and machine learning techniques to model email senders’ and recipients’ identity characteristics, expected behavior, and personal, organizational, and industry-level relationships.

By modeling the good and reacting to anomalies rather than trying to detect the bad, the Agari Identity Graph™ can protect your IT environment from both known and unknown security threats, reducing the risk that an emailbased attack will negatively affect your business.

Criminals have evolved the techniques they use for email-based attacks from content deception to identity deception.

The Next Generation of Email Security

Generation 1 

The traditional approach to email security was driven by the type of attack circa 2000-2005: spam, scattershot credential phishing, and broad-based virus and worm attacks. The attacks had wide distribution, were launched from botnets and compromised servers, and had content signatures that were distinct from legitimate email. The primary secure email gateway (SEG) vendors built Generation 1 solutions using models based on content analysis and infrastructure reputation to detect these attacks and were quite successful in blocking the vast majority of them.

Generation 2

In the timeframe of 2010-2015, we saw a significant increase in the sophistication of attackers. The attacks became more targeted and often leveraged advanced polymorphic malware. These attacks evaded detection based on traditional content and antivirus signatures. The result was the development of Generation 2 solutions leveraging the malware sandbox and more sophisticated dynamic analysis to address the sophisticated malware attack.

In the last few years, we’ve seen a fundamental drop in efficacy of the previous two generations of detection, driven by the following trends:

  • Criminal Cloud Adoption – Attackers are increasingly using legitimate cloud platforms and services, or even compromised accounts, to launch their attacks, making infrastructure reputation less useful. If attackers use Google or Microsoft infrastructure to launch attacks, a solution can’t just blacklist these services since they also send a large amount of legitimate email.
  • Targeted Attacks – The messages sent by attackers are increasingly hard to differentiate from legitimate business email. This is especially true for targeted attacks that are highly personalized, seem to come from trusted identities, have content that is almost identical to regular business email, and leverage social engineering, making traditional content analysis largely ineffective.
  • Sandbox-Aware Malware and “No Payload” Attacks – Finally, the latest malware families are increasingly becoming sandbox-aware and many types of attack don’t even leverage any type of active payload. This makes dynamic analysis significantly less effective for the modern attack.

The modern email attack primarily leverages identity deception. Specifically, the attacker sends a message that seems to come from a known identity – an individual, organization, or brand that is often trusted by the recipient. Leveraging security gaps in the underlying email protocols or user interface constraints of email clients, attackers are increasingly able to convince recipients to respond or take action based on the trust associated with the perceived identity of the sender of an email. Identity deception attacks, including its variants that leverage social engineering and carry out business email compromise, have resulted in significant financial and data losses in the last few years.

Next Generation 

The next generation of email security solutions has to take a fundamentally different approach than used by the previous two generations to detect the modern, sophisticated, identity-based attacks.

Mail Letter

Would you like the confidence to trust your inbox?