After two decades and billions spent adding layers of security controls, the rate at which organizations are being defrauded and breached has never been higher. For 95% of security breaches, cybercriminals use a targeted email attack as the initial point of entry.1 Many CISOs have been stuck in a valiant but defensive battle as they combat an infinite number of attack variations. For every new cyber attack, security providers have created a defense based on identifying indicators of malicious activity; and cybercriminals have evaded detection by avoiding use of these indicators.
What if you could turn the tables on cybercriminals and shift from fighting a series of defensive battles on attackers’ terms to actively securing yourself against all targeted attacks on your terms? There are two fundamental shifts in thinking that are required to make the transition.
First, you have to change your approach from implementing controls that try to detect bad activity to those that model good trusted communications. The factor that provides the most signal in distinguishing between malicious and legitimate email is the identity of the sender and the level of trust associated with that sender. The common thread among all targeted email attacks is that attackers impersonate a trusted entity. If you can prevent identity deception, you can reliably stop current and future types of targeted attacks.
Second, it is critical to recognize that the most common targets and most vulnerable parts of your business are your employees, customers, and partners—the humans that make decisions every day that can result in financial losses, security breaches, and brand damage. Unfortunately, research has shown it is impossible to reliably train humans to differentiate between malicious and legitimate communication.
This whitepaper discusses why the predominant security paradigm fails and how to turn the tables on the criminals, as well as explains Agari’s solution to the problem of malicious email. The Agari Secure Email Cloud is the only system that models authentic, trustworthy communications to protect humans from being deceived by cyberattacks such as phishing, ransomware and business email compromise — including targeted attacks with no attachments or URLs in the emails. Agari’s technology analyzes emails at a scale of more than two trillion emails per year to identify characteristics of authentic and trusted communications and protect you against everything else.
As unwanted email has transitioned from annoyance to malice, and from large scattershot batches to small targeted campaigns, the principle detection method has remained the same: detecting known bad, whether by volume, sender identity, or content. Detection of known bad URLs, for example, is commonly used to identify and block phishing messages. While useful to limit the impact of large-scale campaigns, this approach doesn’t address the problem of spear phishing, where the odds of even learning about offending URLs are low—and the chances of doing this while it still matters are negligible. Criminals routinely circumvent filters by frequently modifying their URLs, making identification of bad a constant catch-up game. Similarly, criminals evade signaturebased malware detection (a form of blacklisting) by using crypters to periodically generate never-seen-before instances of known malware threats.
The failure of traditional security technologies is evident—not just from seeing the explosive growth of emailcentric crime syndicates and entire national economies supported by email-based crime—but also from the perspective of the security concerns felt in board rooms and within governments. Business email compromise (BEC), one of the most prominent types of targeted email attacks, is now a $12B problem, according to the FBI.3 As the email threat evolved, the blacklisting paradigm became obsolete—but was not abandoned. Email-based attacks have turned into an existential threat to many organizations, which are currently unprotected as the security industry has stubbornly clung to a paradigm that can’t hope to address the evolving threat of targeted email attacks leveraging identity deception.
To understand what prompted the security industry to rely on chasing the bad, we need to look back at the history of online abuse.
When large-scale spam first hit the scene in 1994, service providers did their best to fight back, with AOL deploying countermeasures which were equal parts anomaly detection and blacklisting, with service providers deploying large teams to manually catalog the attacks. While this reactive approach could only shorten the duration of any given attack, it was a tolerable strategy during a time when the low per-recipient losses dictated the need for tremendous batches of emails. A paradigm was born.