Account takeover based attacks more than double with 44% of businesses falling victim
Agari, a cybersecurity company, announced the publication of “Protecting Against Account Takeover Based Email Attacks,” which observed account takeover-based email attacks more than double month-over-month.
Attacks launched from compromised accounts evade traditional detection because they come from a previously-established credible sender. Agari Enterprise Protect is now the first solution to detect ATO-based attacks by enhancing the advanced threat modeling of Agari Identity IntelligenceTM (AI2).
“Based on a survey of 140 organisations with an average of over 16,821 email users, 44% of businesses were victims of an email attack using a compromised account in the past 12 months,” said Michael Osterman, president, Osterman Research. “Account takeover attacks should be considered a very serious risk because they target the highest levels of leadership, but are extremely difficult to detect.”
Recently, Osterman Research found that targeted email attacks launched via a compromised account were the most successful email attack vector in the past 12 months. ATO-based attacks evade traditional email security solutions, such as secure email gateways (SEGs), because they are sent from established email accounts – no domain name spoofing or display name deception is required.
Previously, Agari research has demonstrated that SEGs are unable to detect business email compromise (BEC) because there is no malicious payload involved. Consequently, ATO-based BEC attacks present a very high risk to organisations because no security controls can detect them.
Key findings from “Protecting Against Account Takeover (ATO) Based Email Attacks” include:
- Almost Half of Organisations Are Victims of ATO-based Attacks – Analysis of an Osterman Research Survey reveals 44% of organisations were victims of a successful ATO-based attack.
- The Lifecycle of ATO-based Attacks – Agari delineates five steps to ATO-based attacks, including account access, control, reconnaissance, targeted attacks and data exfiltration or fraudulent financial payments.
- One-in-ten ATO-based Attacks is Sent by a Trusted Party – Agari research has categorised ATO-based attacks from four types of senders: strangers, employee webmail accounts, trusted third parties and insider business accounts. While strangers accounts send 90% of ATO-based attacks, trusted third parties send 9%t of ATO-based attacks.
“Agari’s research demonstrates what CISOs have suspected for years: traditional email security solutions, such as secure email gateways, based on inspection and reputation are unable to detect advanced email attacks, such as account takeover,” said Ravi Khatod, CEO, Agari.
“As criminals have refined their techniques, impersonating and targeting the highest levels of corporate leadership, organisations risk giving away the keys to the kingdom; only Agari can stop the rising tide of compromised accounts before they reach the CEO.”
Agari delivers industry-first ATO-based attack detection, prevention and forensics
Agari Enterprise Protect leverages Agari Identity IntelligenceTM (AI2), an advanced artificial intelligence and machine learning system that ingests data telemetry from more than two trillion emails per year to model email senders’ and recipients’ identity characteristics, behavioral norms, and personal, organisational, and industry-level relationships.
Agari takes a unique approach of modeling the good — which is what authentic, trustworthy communications look and act like — using machine learning to identify attempts to trick people into trusting something they should not.
With this new release, Agari enhances Agari Identity IntelligenceTM (AI2) machine learning algorithms to model the behavior of compromised accounts used to launch targeted email attacks.
When a message is received it is subjected to the following phases of analysis and scoring:
- Identity Mapping – Determines the perceived identity of the sender, mapping the sender to a previously-established sender/organisation or a broader classification.
- Behavioral Analytics – Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal. Any anomalies are obviously perceived to be suspicious.
- Trust Modeling – Determines if communication from the sender is expected by the recipient. The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack. Ultimately the system models interaction – how often the sender/recipient interact or if the responsiveness and timing of responsiveness between the two are normal.
- Identity Intelligence Scoring – The Identity Intelligence Score of a message is a combination of the features and indicators of the three phases that determines whether the attack is indeed originating from a Account Takeover-based compromised account.
To support this modeling, Agari leverages a cloud-native architecture to drive over 300 million daily model updates, allowing the system to maintain a real-time understanding of this type of email behavioral pattern.
“Agari Identity Intelligence is the core of the next generation of Advanced Threat Protection for email. It takes a new approach to detecting the modern, sophisticated, identity-based attack,” said Khatod. “Leveraging global telemetry sources, unique algorithms, and a real-time scoring pipeline, the system continuously models email sending and receiving behaviors across the Internet and detects the new attacks of today and the even more sophisticated ones we expect to see in the future.”