Access Email Accounts

In the context of cybersecurity, access email accounts are used to manage and control entry to various systems, applications, and resources. These are typically non-human accounts, though they can also be used by multiple individuals, making them a significant security risk. Unlike personal email accounts, their primary purpose is to provide a digital identity for a function or group rather than a single person.

The main risks associated with accessing email accounts stem from weak security practices. They are often protected by weak or reused passwords that are easy to guess or crack. A compromised access email account can give an attacker a persistent foothold in a network, allowing them to intercept private communications, steal sensitive data, and commit fraud. Since multiple people may use the same account, it becomes difficult to track who performed a specific action, resulting in a lack of accountability and complicating incident response. Without proper management, these accounts can become a security liability, especially since they may not be subject to security controls like multi-factor authentication (MFA) and may retain elevated privileges long after their initial purpose is fulfilled.

ThreatNG provides a detailed and multi-faceted approach to securing access to email accounts by focusing on their external footprint and potential vulnerabilities. It helps organizations uncover and address risks associated with these non-human accounts from an attacker’s perspective.

External Discovery and Assessment

ThreatNG's platform performs unauthenticated, purely external discovery, allowing it to find publicly exposed access email addresses without needing internal access. Once discovered, these emails are grouped under the "NHI Email Exposure" feature, categorized explicitly as account or user.

ThreatNG's external assessment capabilities then analyze these accounts for various risk factors:

• Data Leak Susceptibility: The platform's assessment is based on its Dark Web Presence intelligence. It checks if an access email account's credentials have been compromised and are available on the dark web. This is a critical indicator of a potential account takeover.

  • Example: ThreatNG discovers the email admin-access@example.com on a publicly exposed subdomain. Its assessment then finds this same email and password in a database of compromised credentials on the dark web, immediately flagging it as a high-risk data leak.

• Cyber Risk Exposure: The platform utilizes its Domain Intelligence module to assess cyber risk, taking into account factors such as vulnerabilities and exposed sensitive ports. A compromised access email could be tied to these vulnerabilities. The score also takes into account compromised credentials on the dark web.

• Code Secret Exposure: ThreatNG investigates public code repositories for sensitive data. It can uncover access emails embedded in configuration files or code alongside credentials.

  • Example: The platform finds the email api-user@example.com in a public GitHub repository, hard-coded with a plaintext API token. This finding significantly raises the organization's Code Secret Exposure score, providing objective evidence of a serious vulnerability.

Continuous Monitoring and Reporting

ThreatNG's continuous monitoring provides real-time updates on external attack surface risks, digital risks, and security ratings for all organizations. This ensures that newly exposed access emails or compromised credentials are detected immediately.

The platform offers a variety of reports, including Executive, Technical, and Prioritized. These reports detail the findings, provide a risk level (High, Medium, Low, or Informational), and offer actionable recommendations. A technical report might identify an exposed account email, explain why it's a risk, and recommend a password reset or the implementation of multi-factor authentication.

Investigation Modules and Intelligence Repositories

ThreatNG's investigation modules provide the detailed context needed to understand the risks of exposed access emails.

• Domain Intelligence: This module can identify email security weaknesses, like a lack of SPF, DKIM, or DMARC records, which increases the susceptibility of access emails to phishing and spoofing attacks.

• Archived Web Pages: ThreatNG can discover emails that were previously exposed on older, archived versions of a website. This helps uncover legacy access accounts that may have been forgotten but are still active.

• Dark Web Presence: This module tracks explicit mentions of an organization and associated compromised credentials. It's a key source for identifying if an access email account has been compromised.

ThreatNG's Intelligence Repositories (DarCache) provide a continuously updated source of threat data. This is particularly useful for verifying the risk of access emails.

• DarCache Rupture tracks compromised credentials, allowing ThreatNG to confirm if a discovered user or account email has been part of a data breach.

• DarCache Vulnerability provides a proactive approach to managing risks by linking vulnerabilities to their real-world exploitability and potential impact.

Complementary Solutions

ThreatNG's external perspective can be enhanced by working with complementary solutions to create a more comprehensive security program.

• With an Identity and Access Management (IAM) Solution: When ThreatNG discovers a compromised access email on the dark web, it can automatically trigger a policy in an IAM platform to force a password reset and require multi-factor authentication for that account. This creates a synergy where external intelligence from ThreatNG drives automated, proactive changes in a company's internal security controls.

• With a Security Information and Event Management (SIEM) System: A SIEM can ingest the high-priority alerts from ThreatNG regarding an exposed access email. The SIEM can then correlate this external finding with internal log data to determine if there has been any suspicious login activity or lateral movement from that specific account, giving analysts a holistic view of the threat.

• With a Security Orchestration, Automation, and Response (SOAR) Platform: A SOAR platform can be configured to take an alert from ThreatNG about a newly discovered access email in a public repository and automatically execute a playbook. This could involve creating an incident ticket, notifying the IT team, and initiating a workflow to investigate and remediate the exposed credential without human intervention.