General IT Email Accounts

In the context of cybersecurity, General IT email accounts are non-human email addresses used for various administrative functions. These accounts are often tied to general IT services, support systems, or informational purposes that are not specific to a single application or protocol. They are distinct from individual user accounts and are commonly used by a group of people or an automated process to handle tasks like receiving alerts, managing helpdesk tickets, or providing general contact information.

The risks associated with General IT email accounts are often high due to their broad, public-facing nature and the sensitive information they handle. Cybercriminals frequently target these accounts for several reasons. For example, they can be used as a point of entry for phishing attacks, where an attacker sends a deceptive email to trick users into revealing sensitive data or downloading malware. Since multiple people may share these accounts, they can lack accountability, making it difficult to track who performed a specific action, which complicates incident response. Additionally, these accounts may not have the same level of security controls as individual accounts, such as multi-factor authentication, making them more vulnerable to credential theft and unauthorized access.

ThreatNG can help secure General IT email accounts by providing a comprehensive, outside-in view of their exposure and associated risks. It operates like an attacker, identifying vulnerabilities that are often missed by internal security tools.

External Discovery and Assessment

ThreatNG's external discovery engine operates without requiring any connectors or credentials to identify publicly exposed emails. It groups these under the "NHI Email Exposure" category, with specific labels like admin, support, info, and help. ThreatNG’s external assessments then evaluate the security posture of these accounts.

• Data Leak Susceptibility: The platform determines this score based on its Dark Web Presence module, which looks for compromised credentials.

  • Example: ThreatNG discovers the email info@example.com on a publicly exposed subdomain. It then checks its compromised credentials database and finds that the email and its password were part of a recent data breach, leading to a high data leak susceptibility score. This indicates that an attacker may already possess credentials for this account, which could be used to launch further attacks.

• BEC & Phishing Susceptibility: This assessment is derived from ThreatNG's Domain Intelligence, which provides Email Intelligence capabilities, including email security presence and format prediction.

  • Example: ThreatNG discovers a publicly listed support@example.com email address and assesses its email security presence. If it finds a lack of proper DMARC, SPF, and DKIM records, it will flag the account as highly susceptible to phishing and spoofing. This information is crucial for an organization to prevent attackers from impersonating the support team to scam customers or employees.

Continuous Monitoring and Reporting

ThreatNG provides continuous monitoring of the external attack surface, digital risk, and security ratings for an organization. This ensures that if a general IT email account is newly exposed—for example, on a code-sharing platform or in a data dump—it is flagged in real-time.

The platform offers various reports, including Executive, Technical, and Prioritized.

• Example: A prioritized report could classify an exposed admin@example.com email as a "High" priority risk, providing details on where it was found and offering a recommendation to change the password or remove the account from the public source. This helps IT teams focus on the most critical exposures.

Investigation Modules and Intelligence Repositories

ThreatNG's investigation modules offer detailed context about the discovered emails. The Archived Web Pages module, for instance, can uncover older instances of emails that were once public but have since been removed. This helps to find forgotten or legacy help accounts that might still be active and vulnerable. The Dark Web Presence module is essential for tracking mentions of an organization and its compromised credentials, providing crucial insights into whether a security@example.com email has been compromised and is being traded on the dark web.

ThreatNG's intelligence repositories, branded as DarCache, are continuously updated and provide a source of threat data.

• DarCache Rupture (Compromised Credentials) allows ThreatNG to cross-reference any discovered general IT email to see if it has been part of a previous data breach.

• DarCache Dark Web monitors the dark web to find if general IT emails are being discussed or traded by threat actors.

Complementary Solutions

ThreatNG's external intelligence can work in conjunction with complementary solutions to provide a more comprehensive security strategy.

• With a Security Information and Event Management (SIEM) Solution: When ThreatNG flags an exposed ops email with a high-risk score, it can send an alert to a SIEM. The SIEM can then correlate this external finding with internal logs to identify any suspicious login attempts or unauthorized activities from that account, providing a comprehensive view of the threat.

• With an Identity and Access Management (IAM) Solution: If ThreatNG identifies that an admin email has been compromised on the dark web, it can trigger an automated action in an IAM solution. This action could immediately disable the account or force a password reset, preventing an attacker from using the exposed credentials for lateral movement.

• With a Security Orchestration, Automation, and Response (SOAR) platform: A SOAR platform can ingest a high-priority alert from ThreatNG about an exposed user or account email and automatically initiate a playbook. This could involve creating an incident ticket, notifying the IT team, and automatically removing the exposed email from the public source where it was found.