4. Organisation
Profile
Singapore Health Services (commonly abbreviated as SingHealth) is Singapore's largest
group of healthcare institutions. The group was formed in 2000 and consists of four public
hospitals, three community hospitals, five national specialty centres and a network of eight
polyclinics. The Singapore General Hospital is the largest hospital in the group and serves as
the flagship hospital for the cluster.
5. Between 23 August 2017 and 20 July 2018, a cyber attack (the “Cyber Attack”) of unprecedented
scale and sophistication was carried out on the patient database of Singapore Health Services
Private Limited (“SingHealth”).
The database was illegally accessed and the personal particulars of almost 1.5 million patients,
including their names, NRIC numbers, addresses, genders, races, and dates of birth, were
exfiltrated over the period of 27 June 2018 to 4 July 2018.
Around 160,000 of these 1.5 million patients also had their outpatient dispensed medication
records exfiltrated. The Prime Minister’s personal and outpatient medication data
was specifically targeted and repeatedly accessed.
Hackers did not amend or delete the records.
Background
6. Targets & Victims
PM Lee Hsien Loong Other ministers
Data stolen included:
1. Names
2. NRIC
3. Addresses
4. Gender
5. Race information
6. Date of birth
About 160,000 of these
patients also had their
outpatient prescriptions
stolen.
The attackers specifically
and repeatedly targeted
PM Lee’s personal
particulars and
information on
medication that has
been dispensed
to him
The authorities say a
few ministers were also
targeted but declined to
identify them
1.5 million patients
7. Killchain Timeline
- DBA, Citrix and SCM
teams detected failed
logins to SCM
- CERT started forensic
- DBA noticed unusual
queries on SCM and
terminated the queries
- IHiS started
investigation
IHiS detected further
suspicious activity in
SingHealth network
- IHiS reported
attack to CSA who
worked with them
Attacker
started bulk
query on SCM
database
Detect failed call-backs
from workstations to
suspicious foreign IP
20 July
2018
19 July
2018
10 July
2018
4 July
2018
27 June
2018
11-13 Jun
2018
Jan
2018
PenTest
23 Aug
2017
Mar
2017
Defender
27 June – 4 July
Attacker
exfiltrated data
4 months 27 days
10 months 5 days
10 months 12 days
5 months
Instances of
malicious activity
took place
- Internet Surfing
Separation implemented
- Public announcement
User fell prey to
phishing. Attacker
gained initial
access to
SingHealth’s IT
network
Attacker
8. Attacker’s Artefacts
Malware
Remote Access
Trojan (RAT)
Publicly Available
Hacking Tool
Usage:
Malware was used by the
attacker to obtain
passwords for privilege
escalation and lateral
movement.
Artefacts:
log file from a known
malware (Trojan.Vcrodat)
containing password
credentials of
Workstation A user was
found.
Usage:
The Hacking tools is used to regain
access if initial implant was removed.
It allows remote interaction with mail
exchange servers, perform simple
brute force attacks on email accounts.
Artefacts:
Hacking tools (Mimikatz & Termite)
was installed on Workstation A by
exploiting vulnerability in Microsoft
Outlook.
The tool was used to download files,
masqueraded as .jpeg files containing
malicious Powershell scripts.
Usage:
RAT provided the attacker with the
capability to access and control the
workstation, to execute shell
scripts remotely, upload and
download files.
Artefacts:
RAT (Trojan.Nibatad) was created on
Workstation A. Shortly after the
installation of the hacking tool.
RAT is stealthy by design, or of
unique variants that avoided
detection by standard anti-malware
solutions.
9. Phishing:
Infect with dropper in form
of malicious .exe or .dll file
that is disguised as a
document or image
Once opened Trojan.Vcrodat is loaded in the PC
(via search order hijacking) Upon execution,
Vcrodat loads an encrypted payload onto the
victim’s PC. This payload contacts a C&C and
sends system information about the infected
PC to the C&C server and downloads additional
tools.
DELIVERY
Once the initial PC is infected with Vcrodat, Whitefly
begins mapping the network and further infecting PCs
using publicly available tools ie. Mimikatz and another
open source tool to exploits a known Windows
privilege escalation vulnerability on unpatched PCs.
Whitefly utilises Open-source
hacking tool called Termite ie
Hacktool.Rootkit to allow it to
perform more complex actions
such as control multiple
compromised machines at a
time.
EXPLOITATION
INSTALLATION
Mimikatz is repeated deployed
to obtain credentials on more
machines on the network till
they gain access to the desired
data.
ACTION ON
OBJECTIVE
RECONNAISSANCE
WEAPONISATION
Target Attack Killchain Analysis
WHITEFLY MO:
Remain dormant within
targeted organization for long
periods of time in order to steal
large volumes of data.
Whitefly configures multiple C&C
domains for each target
COMMAND &
CONTROL
10. WHITEFLY | MÓFǍNG | 模仿
Mofang is a threat actor that almost certainly operates out of China and is probably
government-affiliated. It is highly likely that Mofang’s targets are selected based on
involvement with investments, or technological advances that could be perceived as a threat
to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on
government and critical infrastructure of Myanmar that is described in this report. Chances
are about even, though, that Mofang is a relevant threat actor to any organization that invests
in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar,
Mofang has been observed to attack targets across multiple sectors (government, military,
critical infrastructure and the automotive and weapon industries) in multiple countries.
Operation Whitefly
● Trojan.Vcrodat
● Trojan.Nibatad
Malware Hacking Tools TTPs
● Hacktool.Rootkit
● Hacktool.Mimikatz
● Spear-phishing
● Multiple C&C domains
Reference Links : Thaicert | Reuters | Redalert | Foxit | Symatec |
11. Medical Records
Workstation A
Workstation B CITRIX Server 1
@SGH
CITRIX Server 2
@SGH
CITRIX Server 3
@HDC
4
5a
5b
1
2
6
3
CITRIX
Servers
Data exfiltration (27
June 2018 – 4 July 2018)
Lateral movement &
privilege escalation
(December 2017 –
June 2018)
Initial entry
(23 August 2017)
Data
transferred
(27 June 2018
– 4 July 2018)
Compromised
SCM (26 June
2018)
Queried SCM
Database
(27 June 2018
– 4 July 2018)
Data
transferred
(27 June 2018
– 4 July 2018)
Healthcare Institution B
Healthcare Institution A
Internet
SCM DB Servers
Attacker’s movement to SCM DB Server
Flow of data exfiltration
Key Events of Cyber Attack
13. Problem Identification
Challenges to IHiS
Should a similar cyber attack happens again, how might it:
1. Enhance its response plan
2. Mitigate or reduce the risk of such attack
3. Better protect its network and systems
Despite tell-tale signs of cyber attacks that
started in Aug 2017, about 1.5 million patient records
were exfiltrated over a period of 8 days
(27 June 2018 to 4 July 2018).
14. Stakeholder Map/SOC Team
CEO IHIS
MD MOHH
CSG
IHIS
CISO
GCIO
MOH IOH
CSA OPS
CERT
Team
SIRM
Security
Infrastructure
Service Lead
Network
Application
Service Lead
End User
Management
Security Incident
Response Team (SIRT)
15. As-Is Security Breach Scenario : Ben (Profile)
Ben, L1 - System Engineer,
Security Management Department, IHiS
● One member of the Computer Emergency Response Team
(CERT) who has attended an incident response course (“Hacker
Tools, Techniques, and Incident Handling” by SANS).
● CERT (three-member) team was setup in Mar 2018.
● CERT team: first responders who are responsible for
performing incident analysis to determine the scope and nature
of the incident, collect forensic evidence, tracking or tracing
the intruder, and providing on-site assistance to help with
incident recovery
● Reports to Ernie, Senior Manager, SMD
16. - DBA, Citrix and SCM
teams detected failed
logins to SCM
- CERT started forensic
- DBA noticed unusual
queries on SCM and
terminated the queries
- IHiS started
investigation
IHiS detected further
suspicious activity in
SingHealth network
- IHiS reported
attack to CSA who
worked with them
Attacker
started bulk
query on SCM
database
Detect failed call-backs
from workstations to
suspicious foreign IP
20 July
2018
19 July
2018
10 July
2018
4 July
2018
27 June
2018
11-13 Jun
2018
Jan
2018
PenTest
23 Aug
2017
Mar
2017
27 June – 4 July
Attacker
exfiltrated data
4 months 27 days
10 months 5 days
10 months 12 days
5 months
Instances of
malicious activity
took place
- Internet Surfing
Separation implemented
- Public announcement
Killchain Timeline
Attacker
Defender
User fell prey to
phishing. Attacker
gained initial
access to
SingHealth’s IT
network
17. As-Is Security Breach Scenario : Ben (1/3)
While doing routine checks, alerted of filename of the suspected malware found on PHI 1
workstation.
● PHI 1 Workstation attempts to connect with foreign IP address and an associated URL.
(foreign IP address belongs to C2 server of the attacker)
● PHI 1 Workstation sent commands to two other IP addresses in foreign country
● While the file name of the suspected malware was of a legitimate program, the program
was not located in the correct file path, but L1 did not notice this irregularity.
● PHI 1 Workstation’s network traffic between all 3 IP addresses was blocked and
disconnected from the SingHealth network.
● Workstation was reimaged and files was quarantined, before connecting it to network.
● Workstation was no longer attempting to connect to the foreign IP address. However,
commands were still being broadcast to the other two IP addresses
● Contacted outsourced vendor for MSS (Managed Security Services) to continue
monitoring suspicious IP addresses and URL. While MSS provider is responsible for
receiving alerts, ultimately, assessments of the seriousness of the alerts and consequent
remedial actions are squarely within the remit of IHiS’ security staff.
● Domain name of foreign URL was not blocked.
18 Jan 2018
Investigation
Actions Taken
18. As-Is Security Breach Scenario : Ben (2/3)
L1 obtained network logs (proxy logs and firewall logs), searched for both proxy logs and firewall
logs from 1 to 19 Jan 2018.
19 Jan 2018
(AM)
L1 sent an email to the SMD, included L2 Ernie, titled “Hits to IOCs” (‘IOCs’ refer to indicators of
compromise), attaching network logs and them told he arranged for scans for hits involving the
malicious IPs and URLs.
19 Jan 2018
(PM)
L1 analysed process dump of suspicious file identified on the PHI 1 Workstation via online service
which analyses suspicious files and facilitates detection of viruses, Trojans, worms and malware.
Wrongly trusted online benign result as malware signature was not available publicly at that time,
and online check unable to flag it as malicious. Not trained and do not have tool to analyse process
dump; only trained in digital and memory forensics
20 Jan 2018
(PM)
L1 noticed many instances of access to the foreign IP address. All the successful instances of
access were from a single IP address, and involved either a particular SGH userID, or the hostname
of SGH workstation A. Workstation A played a significant role in the Cyber Attack.
Investigation
L1 continued to monitor network traffic to update L2.
No further malicious outbound traffic from the PHI 1 Workstation.
22 Jan 2018
19. User fell prey to
phishing. Attacker
gained initial
access to
SingHealth’s IT
network
- DBA, Citrix and SCM
teams detected failed
logins to SCM
- CERT started forensic
- DBA noticed unusual
queries on SCM and
terminated the queries
- IHiS started
investigation
IHiS detected further
suspicious activity in
SingHealth network
- IHiS reported
attack to CSA who
worked with them
Attacker
started bulk
query on SCM
database
Detect failed call-backs
from workstations to
suspicious foreign IP
20 July
2018
19 July
2018
10 July
2018
4 July
2018
27 June
2018
11-13 Jun
2018
Jan
2018
PenTest
23 Aug
2017
Mar
2017
27 June – 4 July
Attacker
exfiltrated data
4 months 27 days
10 months 5 days
10 months 12 days
5 months
Instances of
malicious activity
took place
- Internet Surfing
Separation implemented
- Public announcement
Attacker
Defender
Killchain Timeline
20. As-Is Security Breach Scenario : Ben (3/3)
❖ DBA also alerted Citrix Team on failed login attempts to SCM server and informed L1.
Citrix Team explained their log findings to L1:
● Attempts to access SCM database from Citrix Server, on 11 and 12 June 2018;
● Multiple usernames had been used in attempts to login to SCM database;
● Unauthorised access to Citrix Server 1 using L.A. account on multiple occasions since 17
May 2018; L.A. account should only have been used by the Citrix Team.
13 Jun 2018
5 Months later
Investigation
● L1 and the Citrix Team investigates into the unauthorised accesses to find physical
locations of workstations by pinging them and found they were VM.
● PHI 1 Workstation which had been re-imagined is compromised by malware again.
● L.A. account had a weak password (‘P@ssw0rd’), could easily be decrypted and was found
on a batch file in clear-text. Possible attacker accessed this file and obtained the
credentials
Actions Taken
● L1 realised SCM was being targeted.
● Citrix team emailed L1 and copied CERT, L2 and L3 (Cluster ISO for SingHealth) but Ernie
was overseas and did not read email immediately
21. Ernie- Senior Manager,
Security Management Department, IHiS
● SingHealth’s Security Incident Response Manager (SIRM) to Lead
and Coordinate IT Security Incident Response, deemed as
Subject Matter Expert.
● Security Incident Response Team (SIRT) updates SIRM
● Reports to Assistant Director, Infrastructure Services &
SingHealth Cluster Infrastructure Lead
As-Is Security Breach Scenario : Ernie (Profile)
22. As-Is Security Breach Scenario : Ernie
Ernie received email from L1. He “glanced” at the logs, saw multiple attempts to communicate with
the foreign IP address from one or more workstations in SGH and PHI 1.
19 Jan 2018
Actions Taken
No further investigation proactively taken by Ernie to:
● identify owner of the user-ID shown in the logs (i.e. the user of Workstation A);
● identify physical location of Workstation A;
● investigate into the callbacks from Workstation A, including whether it was infected with
malware; or
● To block connections to the suspicious IP address from SGH or the rest of the SingHealth
network. There is also no indication that there was any follow-up from any other members
of the SMD.
● Ernie deemed not a reportable security incident as malware on PHI 1 Workstation
contained.
● IR-SOP states that malware infections that have been detected, contained, and cleaned,
without network propagation, need not be reported.
● Ernie failed to investigate whether malware had network propagation.
● Ernie did not inform Wee because suspected malware of workstation is very common.
● Ernie did not file Incident Reporting Form (“IRF”) because suspected infections not
typically filed.
Investigation
23. Feels
● Alone & stressed
● Uncertain of impact / extent.
● CERT team too lean (i.e. need
24 x 7 strong skilled SOC team, including
Threat Hunter)
● Not well versed in procedures/ policies
SIRM & CERT Pain Points - Empathy Map
Think & Says from Ernie
● I did not report because my focus was on isolating, containing and defending. I was so busy with this
that I did not escalate to management about the security incident.
● If I report the matter, I will simply get more people chasing me for more updates. If they are chasing
me for more updates, I need to be able to get more information to provide to them. The moment I
report the security incident, the clock will start ticking as per the timelines indicated on the IR-SOP
● Puts a lot of pressure on team - CSA, CSG, MOH, IHiS and SingHealth senior management, GCIO and
CISO all want info
Does (Moving forward)
● Case Management software to log all investigative
updates and track progress.
● Advanced endpoint detection and response (EDR)
integrated with analytics/ AI for rapid isolation of
infected systems, and collection of forensic evidence from
multiple systems at the same time
● Implement ATP with advanced response capabilities
25. Existing SERT Team
L1 (Threat Analyst) L2 (Triage Analyst) L3 (Threat Hunting) IT SecOps
100% 100% 30% 30%
Ben
System Engineer, SMD, IHiS
Security Ops Manager
45%
Ernie
SIRM
Senior Manager, SMD, IHiS
26. Building Advanced SOC centre multiple domains
People
1. What are skills needed?
2. Personality / attitude of staff
3. Constant upgrading of skills
Process
1. Incidents scenarios with responses
2. Entire lifecycle of incidents
3. Processes and continual improvement
Technology
1. SIEM architecture and use cases
2. SIEM integrated with Behaviour
based analytics, Endpoint detection
Response (EDR)
3. Web services to integrate them
Governance/metrics
1. Dashboard visibility and oversight
2. Policy, measurements and enforcements
3. Informing stakeholders
27. NIST Framework
IDENTIFY - Organisations
PROTECT - Safeguard Business
DETECT - Implement Systems
RESPOND - Take Action
RECOVER - Be Resilient
28. IDENTIFY
NIST FRAMEWORK CORE
Develop an organizational understanding to manage cybersecurity risk
to systems, people, assets, data, and capabilities.
Roles and responsibilities were well established by existing
policies but not explicitly communicated, resulting in
miscommunication and misinterpretation of Security Threats.
Policy on handling Advanced Persistent Threats (APTs) were not
in-place during the cyber attack.
FY 16 H-Cloud Pen-Test was conducted, however
vulnerabilities surfaced NOT prioritised, as several
vulnerabilities identified were not handled with urgency.
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
29. IDENTIFY
CYBER RESILIENCE LIFECYCLE
Defining a roadmap and action plan to build
or improve Organisation’s cyber resilience plan.
Propose Tools, Technology,
Technique & Process
Task & Activities
Tools & Technologies:
● IBM X-Force RED
● IBM Q-Radar
● IBM Advanced Threat (ATP)
Protection Feed
● *Solarwind Asset
Management & Discovery
Technique & Process:
● Cyber Resilience Preliminary
Assessment
● Cyber Rapid Risk Readiness
Assessment
● Software Defined Network Planning and
Assessments
● Critical Data Protection Program
● Program Governance
❖ *Asset discovery tool to automate the asset discovery and management
process, as opposed to a physical asset register updated manually
Security assessment and review including:
● Asset inventory (includes legacy systems)
● External network
● Internal network
● Wireless network
● Internet
● Firewall
● Host & Server
● Remote access
● Risk assessment
● Pen-Test
30. PROTECT (1/2)
NIST FRAMEWORK CORE
Develop and implement appropriate safeguards to ensure delivery of
critical services.
Identity Management system and process allowing access permission
and authorisation are poorly governed and not strictly enforced.
Network was also poorly segregated, segmented, and mishandled by
untrained staff, allowing attackers to exploit on these
vulnerabilities in the attack.
Cybersecurity personnels were poorly trained, therefore unable to
appreciate and co-relate their findings with tactics, techniques,
and procedures (TTP) of Cyber Attacks.
Awareness and Training
Identity Management,
Authentication and Access Control
Information Protection
Processes and Procedures
Data Security
Maintenance
Protective Technology
SIRT team were unfamiliar with the security policy documents and
the need to escalate the matter to CSA
31. PROTECT (2/2)
NIST FRAMEWORK CORE
Develop and implement appropriate safeguards to ensure delivery of
critical services.
**Privileged users had weak understanding of their roles and responsibilities.
Absence of APT playbook -
Existing SIRT playbook was geared more towards conventional attacks,
like ransomware and website defacement.
Cybersecurity TT exercises conducted featured APTs as one of the threat scenarios
(2016) Gross neglect by IHIS organisation - omission of APTs in their playbook
Weak maintenance process. Confirmation of work done is based on a "trust" system.
No follow-up process to ensure enforcement of changes.
Protective security solutions are in-place but poorly managed, enforced and handled.
Outsourced MSS service also lacking in vigilance
Awareness and Training
Identity Management,
Authentication and Access Control
Information Protection
Processes and Procedures
Data Security
Maintenance
Protective Technology
32. PROTECT (1/2)
CYBER RESILIENCE LIFECYCLE
Protecting the Organisation against attacks
by discovering vulnerabilities before they are exploited.
Propose Tools, Technology,
Technique & Process
Task & Activities
Tools & Technologies:
● Backup as a Service
● Disaster Recovery as a
Service
● Advanced Endpoint and
Network Protection
Technique & Process:
● Security Infrastructure
Management
● Managed Guardium
● Managed Web Defense
● Insider Threat Detection
Identity Management, Authentication and Access Control:
● To Improve identity management process to verified, revoked, and
audited remote access and permission
● A central Public Key Infrastructure (“PKI”) to issue digital certificates to
validate connections to IHiS’ network, and support key exchange for
encryption purposes.
● Ensure *enforcement of policies to enforce multi-factor
authentication amd complex password.
Awareness and Training :
● SIRT Team need to be adequately trained and informed of policies.
● Privileged users, Third-party stakeholders, senior executives needs to
be educated of their roles and responsibilities in prevention of cyber
security incidents
33. PROTECT (2/2)
CYBER RESILIENCE LIFECYCLE
Protecting the Organisation against attacks
by discovering vulnerabilities before they are exploited.
Propose Tools, Technology,
Technique & Process
Task & Activities
Tools & Technologies:
● Backup as a Service
● Disaster Recovery as a
Service
● Advanced Endpoint and
Network Protection
Technique & Process:
● Security Infrastructure
Management
● Managed Guardium
● Managed Web Defense
● Insider Threat Detection
Data Security:
● Network integrity needs to be improved, through network segmentation and
segregation of CII assets
● Data-at-rest and in transition need to be adequately protected and encrypted to
prevent data leak.
● Assets must be well managed throughout removal, transfers, and disposition.
● Integrity checking mechanism need to be inplace to check hardware, software,
firmware, and information integrity.
Maintenance:
● Needs to ensure the maintenance work are properly conducted, through a proof of
work system as reference.
Information Protection Processes and Procedures:
● Although there are several policies in-place, it needs to be better communicated to
the SIRT team.
● Need to ensure vulnerability management plan is developed and implemented.
34. DETECT
NIST FRAMEWORK CORE
Develop and implement appropriate activities to identify the
occurrence of a cybersecurity event.
Detection system and policies are in placed, however personnels were
not trained and equipped to recognise advanced persistent threats (APT).
MSS Vendor were being contacted to assist with the monitoring and
detection of the cybersecurity events.
Security Continuous Monitoring
Anomalies and Events
Detection Processes
Personnel and system were monitored and scanned for vulnerabilities but
were unsuccessful in their detection, as malicious code were were stealthy
by design and not detected by standard anti-malware solutions.
Detection processes via MSS (eg. Anti-Malware/Virus, intrusion detection/prevention
systems, SIEM) were in-placed, to successfully detect malicious activities but not the
malware.
Maintenance of detection tools and follow-up processes were lax;
anti-Malware/Virus were not patched; Firewall was down and undetected.
35. DETECT
CYBER RESILIENCE LIFECYCLE
Detecting unknown threats with advanced analytics.
Propose Tools, Technology,
Technique & Process
Task & Activities
Tools & Technologies:
● Managed X-Force Detection
● X-Force Command Centers
● Resiliency Orchestration with
Cyber Incident Recovery –
provides dashboard
monitoring of Cyber Incident,
Recovery Time (RTO), and
Recovery Point Objectives
(RPO)
Technique & Process:
● Active Threat Assessment
● Whistleblowing policy
AI helps to flag out Anomalies and Events:
● Detected events are analyzed to understand attack targets and methods
● Event data are collected and correlated from multiple sources and sensors
● Establish Incident alert thresholds
Continuous 24 X 7 Monitoring by a strong and knowledgeable SOC team:
● Proactive monitoring, including suspicious activities or incident.
Detection processes and procedures are maintained and tested to ensure
awareness of anomalous events:
● Improve maintenance of detection tools via ensuring updates.
● Procedures and procedures are well communicated and briefed to staff
● Shared Management dashboard that covers not only security incidents which
were responded to and reported visible all the way up to the organisation’s
CEO and be reviewed periodically.
36. RESPOND
NIST FRAMEWORK CORE
Develop and implement appropriate activities to take action
regarding a detected cybersecurity incident
Response plan and policies was not well communicated to the SIRT team.
However, necessary measures were taken to limit damage during and after the Cyber attack.
Roles and order of operations is well defined in the SIRT Team. Information on
the incident was reported and shared within the SIRT Team to limit the incident,
and subsequently to the public and external stakeholders to promote broader
cybersecurity awareness. However, failure to recognise the early warning signs of
the threat delayed the communication process.
The delay in detection and communication process, in-turn delayed the forensic
Investigation in identifying the impact and nature of the attack APT).
Communications
Response Planning
Analysis
Mitigation
Improvements
Recommendation surface from Annual Pen-Test/GIA audit/table top exercises
were not heeded and incorporated into responds plan.
37. RESPOND
CYBER RESILIENCE LIFECYCLE
Responding effectively to cyber outbreak.
Propose Tools, Technology,
Technique & Process
Task & Activities
Tools & Technologies:
● X-Force Threat Management
Response
● Initiate Backup as a Service
and Disaster Recovery as a
Service for data and
production recovery
Technique & Process:
● Recovery notification
workflow automation
● Dynamically managed
infrastructure
IHIS Security Incident Response Team (SIRT) preparation:
● SOC team should be trained in all kinds of malicious attacks
(including ATP), aware of what are strategies and procedures to
apply in response to such attack.
● SOC team need to know who are stakeholders they need to report
to,
● SOC team able to have a single consolidated view to do their
analysis and forensics.
38. RECOVER
NIST FRAMEWORK CORE
Develop and implement activities to maintain plans for resilience and
to restore any capabilities or services that were impaired by the
incident
Recovery plan was eventually executed to mitigate attack, and
prevent further data breach and data theft.
IHIS have since taken a series of measure to strengthen it’s
cybersecurity, Incorporating lesson learned from this incident.
Public fallout was being minimised, as there was a public enquiry
into the failings, in part due to Singaporean’s confidence in
government's handling of the situation.
Improvements
Recovery Planning
Communications
39. RECOVER
CYBER RESILIENCE LIFECYCLE
Recovering access to critical data and applications.
Propose Tools, Technology,
Technique & Process
Task & Activities
Tools & Technologies:
● Resiliency Orchestration with
Cyber Incident Recovery
● Backup as a Service
● Disaster Recovery as a
Service
Technique & Process:
● MultiNetwork WAN (MWS) –
dynamically reallocate
bandwidth to support
recovery
IHIS Security Incident Response Team (SIRT) preparation:
● SOC team and relevant IT staff are aware of recovery procedures
and plan
● Recovery plans incorporate lessons learnt
● Recovery activities are communicated to internal and external
stakeholders as well as executive and management teams
40. Implementation Tiers
- Cybersecurity professionals
(staff) and the general employee
population have had little to no
cybersecurity-related training
- The staff has a limited or
nonexistent training pipeline.
- Security awareness is limited.
- Employees have little or no
awareness of company security
resources and escalation paths.
TIER 1
PARTIAL
- The staff and employees have
received cybersecurity-related
training
- The staff has a training pipeline
- There is an awareness of
cybersecurity risk at the
organisation level.
- Employees have a general
awareness of security and
company security resources and
escalation paths.
TIER 2
RISK INFORMED
- The staff possesses the
knowledge and skills to perform
their appointed roles and
responsibilities
- Employees should receive
regular cybersecurity-related
training and briefings
- The staff has a robust training
pipeline, including internal and
external security conferences or
training opportunities.
- Organisation and business units
have a security champion or
dedicated security staff.
TIER 3
REPEATABLE
- The staff’s knowledge and skills
are regularly reviewed for
currency and applicability and
new skills, and knowledge needs
are identified and addressed.
- Employees receive regular
cybersecurity-related training
and briefings on relevant and
emerging security topics.
- The staff has a robust training
pipeline and routinely attend
internal and external security
conferences or training
opportunities.
TIER 4
ADAPTIVE
? ? ? ?
41. Implementation Tiers
- Cybersecurity professionals
(staff) and the general employee
population have had little to no
cybersecurity-related training
- The staff has a limited or
nonexistent training pipeline.
- Security awareness is limited.
- Employees have little or no
awareness of company security
resources and escalation paths.
TIER 1
PARTIAL
- The staff and employees have
received cybersecurity-related
training
- The staff has a training pipeline
- There is an awareness of
cybersecurity risk at the
organisation level.
- Employees have a general
awareness of security and
company security resources and
escalation paths.
TIER 2
RISK INFORMED
- The staff possesses the
knowledge and skills to perform
their appointed roles and
responsibilities
- Employees should receive
regular cybersecurity-related
training and briefings
- The staff has a robust training
pipeline, including internal and
external security conferences or
training opportunities.
- Organisation and business units
have a security champion or
dedicated security staff.
TIER 3
REPEATABLE
TARGET
- The staff’s knowledge and skills
are regularly reviewed for
currency and applicability and
new skills, and knowledge needs
are identified and addressed.
- Employees receive regular
cybersecurity-related training
and briefings on relevant and
emerging security topics.
- The staff has a robust training
pipeline and routinely attend
internal and external security
conferences or training
opportunities.
TIER 4
ADAPTIVE
IDEAL
CURRENT 1.5
45. Swiss Cheese Model for Data Breach
LF
AF
LF
Organisation
influence
Inadequate
security defences
LF
Precursors of unsafe
data handling
Unsafe act of
data handling
Trajectory of data
breach opportunity
AF: Active Failure
LF: Latent Failure
46. Thank you for Listening
For more information, please visit
1. Inquiry into Singhealth Cyber attack: Report of the coi into the cyber attack on SingHealth - 10 Jan 2019
2. MoFang / Whitefly’s Profile on ThaiCert Website: Whitefly/MoFang | APT Profile
3. Foxit’s Threat report on MoFang: MoFang threat report
4. SingHealth Malware Analysis by RedAlert: Singapore custom malware analysis
5. CSA Whistleblowing channel: https://www.csa.gov.sg/legislation/whistleblowing
48. Thank you for being great classmates
All the best for your future endeavours
49. Jia Ming
Very IT savvy and willing to
share and help his other team
mates
Jiaming is a very good team player and humble leader of
projects, always going the extra mile to ensure concepts are
understood across the board, extremely meticulous with slide
formatting due to his background in media. He is also organised
and is able to share concepts fluidly.
Very
meticulous
Organised
Knowledgeable
Good aesthetics
(designer)
50. Wee Kim
Patient and always
acknowledge other
less IT savvy’s team
mates perspective
despite her IT
expertise. She is very
good at explaining IT
concepts in a simple
term
Her experience
in IT helped
the group a lot.
Invaluable expertise
and steered us in the
correct direction
Very knowledgeable
and calm, able to
help less IT savvy
members grasp
concepts. Also due
to her previous work
experience in IT, she
is able to also shed
light in the actual
work processes to
help us understand
the actual situation
on the ground.
51. Very detailed oriented.
Asking crucial questions to advance project development.
Shirley
Extremely Diligent and put in extra effort in her own time
Her perseverance is admirable and contributed in spite of being ill
Very conscientious in making sure images in powerpoint are of clear quality
Shirley is meticulous, always ensuring that our presentations are of high quality, even
re-typing/re-making diagrams to ensure crispness of resolution and also ease of reading.
She’s also very considerate, always making sure we have our meals before resuming project.
52. We-Le
He showed us an owl photo
He cares for his team mates well being
Provided vital IHIS related resources and document for team’s reference.
Good team player who helped us search for additional resources
We-Le provides level-headed feedback to the projects and is always around
to share expertise from his previous industry.
53. Dixie
Highly energetic, her
enthusiasm helped us
to go through this
gruelling process!
Translate complex
technical concepts to
digestible content.
Always cheerful and
brightens the group
meetings
Gave constructive ideas.
Thumbs up.
Fast reader / Helped to
speed read the massive
report