Networking Email Accounts

Networking email accounts in the context of cybersecurity are non-human email addresses used to manage and maintain network infrastructure and protocols. These accounts are not tied to a specific individual but are instead associated with network services, devices, and protocols, such as VPN, SSH, and RDP. They serve as a crucial component for automated tasks, system notifications, and remote access, ensuring network components can communicate and function correctly without constant human oversight.

From a cybersecurity perspective, these accounts are high-value targets for attackers. Their compromise can grant an adversary direct access to an organization's internal network, allowing for lateral movement, data exfiltration, and the installation of malware. Because networking email accounts often have elevated permissions to configure and manage critical network services, a successful attack can have devastating consequences. The challenge in securing them lies in the fact that they are often overlooked in standard security practices, such as routine password changes or multi-factor authentication, making them vulnerable to brute-force attacks and credential stuffing. A lack of visibility and centralized management can lead to forgotten or misconfigured accounts that serve as a persistent backdoor into the network.

ThreatNG can significantly help with networking email accounts by providing a continuous, external perspective on their security posture. It leverages its capabilities to discover, assess, monitor, and report on risks that are often overlooked with these types of accounts.

External Discovery and Assessment

ThreatNG's unauthenticated external discovery scans an organization’s digital footprint to find publicly exposed emails. It groups those associated with networking protocols and services, such as rdp, vpn, and ssh, under the NHI Email Exposure capability. The external assessment then analyzes these accounts to determine their risk level.

For example, a Cyber Risk Exposure assessment considers sensitive ports, vulnerabilities, and compromised credentials found on the dark web.

• Example: ThreatNG might discover the email address vpn-access@example.com on a publicly exposed subdomain. It would then use its Dark Web Presence assessment to check if that email has been found in a credential leak, which would directly impact the Cyber Risk Exposure score and signal a high-risk situation.

Similarly, the Data Leak Susceptibility score is derived from external intelligence, including dark web presence and compromised credentials, which would be directly relevant if a networking email account were part of a breach.

Continuous Monitoring and Reporting

ThreatNG's continuous monitoring provides uninterrupted visibility into external attack surfaces, digital risk, and security ratings for all organizations. This ensures that as soon as a networking email account is exposed, for instance, on an online sharing platform, it is immediately flagged.

The platform provides various types of reports, including Executive, Technical, and Prioritized. These reports detail the findings, providing a clear understanding of the risks.

• Example: A prioritized report would classify an exposed rdp email found on an archived web page as a high-risk finding, complete with reasoning, recommendations for mitigation, and risk levels to help security teams focus their efforts.

Investigation Modules and Intelligence Repositories

ThreatNG’s investigation modules offer detailed context about exposed networking emails. The Subdomain Intelligence module can discover and analyze subdomains related to remote access, such as those with "vpn" in their names, and check for open sensitive ports like those used by SSH or RDP.

The Sensitive Code Exposure module scours public code repositories for networking emails and associated credentials.

• Example: The Sensitive Code Exposure module might uncover a configuration file on GitHub containing an email address, ssh-admin@example.com, alongside a private key, which would be flagged as a critical security risk.

ThreatNG's intelligence repositories, known as DarCache, are continuously updated with intelligence from various sources.

• DarCache Dark Web: Monitors the dark web for mentions of the organization, which could reveal compromised networking accounts being sold.

• DarCache Rupture: A database of compromised credentials, which allows ThreatNG to check if a discovered networking email has been exposed in a previous data breach.

• DarCache Vulnerability: Provides context on known vulnerabilities (like NVD, EPSS, and KEV) and links to verified Proof-of-Concept exploits. ThreatNG could use this to show if a networking email is tied to a service with a known vulnerability.

Complementary Solutions

ThreatNG's external focus complements internal security tools, creating a more complete defense.

• With an Identity and Access Management (IAM) solution: When ThreatNG discovers a vpn email account that has been compromised, it can trigger an automated action within a complementary IAM solution. This action could immediately force a password reset and apply stronger authentication policies.

• With a Security Orchestration, Automation, and Response (SOAR) platform: A SOAR platform can ingest a high-priority alert from ThreatNG about an exposed ssh account and then automatically create a support ticket, notify the relevant security team, and run a playbook to investigate internal network activity related to that account.

• With an Extended Detection and Response (XDR) platform: An XDR platform can use ThreatNG's external intelligence about a compromised rdp account to correlate and prioritize internal alerts, such as an unusual login attempt or a new file transfer, which might otherwise be missed.