SOC Prime Threat Detection Marketplace Review

SOC Prime Threat Detection Marketplace actively uses MIRE ATT&CK framework by linking tools, techniques, and actors to SIEM rules. With the help of SIGMA language, the solution provides real-time threat hunting and forensics capabilities, as well as detection and mitigation techniques and tactics to counter different types of attacks. Below are some benefits of using TDM:

Early detection of phishing attacks

Phishing  can come in different forms, such as spearphishing attachment, link, or via service. To counter phishing messages, TMD offers the core technique of utilizing network intrusion detection systems and email gateways to detect phishing messages while still in transit, as well as block malicious activities. Using detection chambers, suspicious links are also inspected. Another part of the mitigation techniques is restricting or completely blocking access to suspicious web-based content. 

Detect and mitigate abuse of command and scripting interpreter

The execution of commands, binaries, and scripts by adversaries can be detected via proper logging of process execution. By using this technique, along with command-line arguments, users can gain access to the adversaries’ activities. 

The mitigation process for this type of attack includes code signing wherever possible. Removing or disabling unused and unnecessary interpreters or shells is also part of mitigation, along with whitelisting where appropriate.

Counter software exploitation

Software applications have their own vulnerabilities that adversaries take advantage of. Targeted exploitation can be directed to browser-based software, Office applications, and third-party apps, such as Flash and Adobe in order for adversaries to gain access to systems. For this type of attack, the execution tactic would include detection, isolation and sandboxing of application, and mitigating exploitation behavior by using security applications, such as Windows Defender Exploit Guard (WDEG) and Enhanced Mitigation Experience Toolkit (EMET).

Detect and resolve malicious attacks on Windows native API

Adversaries can interact with Windows native API to execute attacks. As a way of detecting malicious activities and executing prevention techniques, it may be appropriate to use application whitelisting tool, such as Windows Defender Application Control, Applocker, or Software Restriction Policies

Counter adversary attacks on task/job scheduling functionality

Adversaries target scheduling applications and programs due to their recurring functionalities, which can be used to facilitate the recurring execution of malicious codes. To counter this type of attack, a combination of execution, persistence, and privilege escalation can be used. This combination of tactics involves audit, operating system configuration, and management of privileged and user accounts.

Detection and prevention of token stealing

Token stealing can lead to other attacks, such as token impersonation or creating a new process with stolen tokens. Often used by adversaries to elevate their security access from administrator to system level. Detection of this activity involves command-line activity audit and an in-depth analysis of user network activity. The mitigations techniques recommended by TDM include privileged account management to limit users and groups that can create tokens.

Fast onboarding and upskilling of new users

TDM provides users who are not yet familiar with the TDM platform an extensive list of onboarding resources. These knowledge resources include interactive guides to get started, comprehensive user guide, and videos to help new users navigate TDM’s features and functionalities. Users can also schedule a call with TDM experts for further guidance on utilizing TDM. You can also schedule for Customer Success sessions with an expert in your SIEM who can provide assistance as you upskill.

Build a sense of community through crowdsourcing development

SOC Prime TDM encourages budding and seasoned threat hunters to contribute to the community by crafting their own detection content. The platform introduces its crowdsourcing component, SOC Prime Threat Bounty Program, which has been promoting collaborative cyber defense since May 2019. By taking part in this program, developers can earn money on threat detection content of their own and help the TDM community thrive and shine.

Add a personal touch with Customer Support SLA

The SOC Prime TDM platform boasts numerous onboarding resources, such as a getting started interactive guide, an in-depth how-to user guide, and comprehensive walkthrough videos. The support service is always at your disposal that allows getting in touch in a matter of clicks. If you need more sophisticated discussions, scheduling a call with a TDM expert or Customer Success sessions with an expert in your SIEM can streamline your upskilling.