What We Do
How We Do
Get Started
Threat dissection

Threat Dissection: Trickbot


9 minutes read

Preventing Trickbot

There are steps that organizations can take to prevent Trickbot infections. Regular security awareness training and promoting a culture of caution when it comes to email communications can help mitigate some human-error related risk.

Maintaining a consistent vulnerability and patch management program to ensure that none of your IT assets have critical known vulnerabilities that can be easily exploited by malware like Trickbot is another fundamental preventative step.

Confirming your antivirus and/or endpoint protection products are properly tuned and updated is important. Particularly in the case of Microsoft Windows Defender, confirming that tamper protection features are enabled can mitigate Trickbot’s ability to disable and bypass endpoint security measures.5

It is worth repeating that the sophisticated resources behind the development of malware like Trickbot are specifically designed to bypass common preventative measures, meaning today’s threat prevention strategies could be ineffective tomorrow. Furthermore, no amount of awareness training and security culture can change the fact that human error is inevitable. Prevention is ultimately an impossible task unless it is tied to a robust threat detection and response capability.

eSentire Services Focus On Threat Prevention:

Managed Risk Services

The programs are designed to identify blind spots and harden your posture against known threats. Services within include Phishing and Security Awareness Training, Technical Testing and Virtual CISO services.

Managed Vulnerability Service

Dedicated eSentire experts act as an extension of your team to execute timely scanning and tracking of known vulnerabilities among your IT assets.

SOC Case Study: Trickbot Detection and Response With eSentire MDR for Network and MDR for Endpoint

In January 2020, an eSentire manufacturing customer was initially alerted to suspicious network activity, which prompted further investigation by analysts from eSentire’s Security Operations Center (SOC). Nine minutes later, a host was observed sending unusual outbound communications, at which point SOC analysts took action and placed TCP disruptions on both the internal host and the IP it was communicating with in order to halt the activity via eSentire MDR for Network. The host itself was isolated from the rest of the network as well via eSentire MDR for Endpoint. The SOC updated the customer with the latest development in the incident.

At this point, the threat appeared to be limited to a single compromised workstation with no observed indicators of compromise on the rest of the customer network. Furthermore, there was no risk of lateral movement with the host quarantined, which was fortunate because deeper forensic endpoint investigation revealed that the host was attempting to spread via the known EternalBlue exploit less than 20 minutes following the SOC’s actions to isolate the threat.

Trickbot was identified as the malware responsible for the activity with the initial infection traced back to human error from an employee who clicked on a link from a malspam email. Further investigation did reveal that a limited amount of the employee’s personal information (saved passwords and shipping address from a web browser auto-fill function) was exfiltrated before eSentire blocked the connection. We recommended to the customer that the end user change their passwords and their workstation be completely reimaged to ensure no traces of malware remained.

Swift investigation and response within less than 10 minutes of the initial threat detection was critical in containing this particular Trickbot incident. If reaction to the threat was slower by just 17 minutes, (a relative blink of an eye in the context of the typical workday in the average IT organization) there is a good chance this Trickbot infection would have been able to spread throughout the network. This underscores the speed security teams must operate at to stop advanced threats. Success is measured in seconds and minutes, but unfortunately, most organizations are lagging far behind with the mean time to contain a data breach at 73 days.6 Multi-signal Managed Detection and Response closes this gap for 1500+ customers with a 15 mean time to contain threats.

Trickbot Attack Timeline

A timeline of eSentire SOC using MDR for Network and MDR for Endpoint to detect, contain and remediate a Trickbot malware attack within 10 minutes.
Additional reading

Security Primer TrickBot, Center for Internet Security: https://www.cisecurity.org/white-papers/security-primer-trickbot/
Stealthy TrickBot Malware Has Compromised 250 Million Email Accounts And Is Still Going Strong,Forbes: https://www.forbes.com/sites/leemathews/2019/07/14/stealthy-trickbotmalware-has-compromised-250-million-email-accounts-and-is-still-going-strong/#1976b2c74884
TrickBot, MITRE ATT&CK Framework: https://attack.mitre.org/software/S0266/
The Unholy Alliance of Emotet, TrickBot and the Ryuk Ransomware,Decipher: https://duo.com/decipher/the-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware


Ready to Get Started?

We’re here to help! Submit your information and an eSentire representative will be in touch to help you build a more resilient security operation today.