Business email compromise (BEC), phishing, and ransomware are growing ever-more targeted and personalized, changing the face of email security from an event that happens at email delivery to a continuous process of detection and remediation.
As enterprises move email to the cloud, more of these attacks are never-before-seen, zero-day events targeting unreported security gaps. Others arrive as plain-text messages or involve malware or trojans customized in any of hundreds of variations to evade detection. A few leverage legitimate URLs with time-bombed links that redirect only after an email is successfully delivered.
Almost all leverage sophisticated social engineering ploys to spark just enough curiosity or anxiety to manipulate recipients into revealing sensitive information, surrendering login credentials, or making payments on fraudulent invoices.
Since these attacks target human emotions, legacy defenses no longer work very well. There are simply no telltale signatures of malicious content or payloads to detect. Antiquated whitelists are manual and lack flexibility. Email security training obviously can help, but it can also introduce high volumes of employee-reported spam and false positives, leaving the security operations center (SOC) overburdened to hunt down and remediate legitimate threats.
SOCs Left Scrambling after Advanced Email Attacks
A simple truth for the modern enterprise is that new email threats evolve so quickly, some inevitably slip through or activate post-delivery. And once they've evaded initial detection, they move laterally through the organization, impacting other inboxes or infrastructure. Fraudsters exploit cloud-connected file sharing, messaging, and collaboration tools to lure in new victims.
Once this happens, legacy email security controls are largely out of scope for the emerging incident. SOC teams armed with SIEM and SOAR tools descend to analyze, triage, and remediate, but these tools typically provide little ability to remove threats that have spread to other inboxes across the organization. As a result, it can take weeks or even months to even detect an email-based attack, during which time organizations can face costly damage, including direct financial losses, theft of valuable IP, financial liability, and damage to their brand reputation.
In fact, the average cost of a successful email-based attack averages $2 million and up. When they result in a data breach, the price tag averages $7.9 million per incident—and is growing fast.
Rising Account Takeovers Problematic for Legacy Vendors
One of the most dangerous and rapidly growing attack modalities is the account takeover (ATO)-based attack, in which cybercriminals use compromised email accounts of trusted individuals and businesses to defraud internal targets within a company, as well as their partners, customers, and numerous third-parties. In fact, based on our own data, this type of attack grew from single digits to nearly 30% of all attacks just in the first quarter of 2019.
Some criminals will use these pirated accounts to request wire transfers or ask HR to change personal details for direct deposits. Others will commit any number of financial crimes against employees, partners, and others connected to the legitimate owner of the account—including family, friends, and companies with which they conduct personal business. According to Forbes, 29% of organizations report their Office 365 email accounts were compromised in just one thirty-day period earlier this year.
It's true that a few legacy security vendors attempt to address these changing dynamics in limited ways. But they usually involve expensive add-ons that are bolted atop legacy architectures—bloating IT infrastructures along with CAPEX and OPEX accounts. Fortunately, there are a handful of other providers that have taken a different approach.
Looking at the revolution in email artificial intelligence (AI) and machine learning (ML), these providers have come to recognize how these technologies can play a critically important role in augmenting legacy security controls with a predictive form of email security capable of stopping even the most advanced zero-day attacks.
Returning Confidence to the Inbox
Indeed, the idea behind the Secure Email Cloud is not only to stop all advanced attacks, but to predict and stop new and evolving threats you haven’t yet seen, dynamically and with minimal cost and overhead. By providing the ability to use newly-reported indicators of compromise to locate and defeat latent threats hiding in the inbox, the Agari technology picks up where other email security systems leave off. And by providing SOC teams with automated tools to rapidly address threats activated post-delivery, it reduces the time and money it takes to detect and remediate email-borne exploits and breaches.
In this four-part series, we'll take a closer look at how machine learning and other technologies underpin the Secure Email Cloud to close the security gap in a solution that's easily integrated into any email infrastructure—on-premise, in-cloud, or within hybrid environments. It's a real-life example of how predictive, applied ML technologies can give organizations the confidence to open, click, and trust everything that hits their inboxes, without fear of fraud or a zero-day event.
To learn more about how Agari applies the power of machine learning-based AI to prevent phishing attacks, BEC scams and more, download an exclusive white paper on the Agari Identity Graph.
This is part one of a four-part series, you can find part two, part three, and part four here.