SlideShare a Scribd company logo

SingHealth Cyber Attack (project)

J
James Neo

an Analysis of SinghHealth cyber attack, and implementing NIST framework to drive improvement strategy.

Technology
1 of 53
Download to read offline
SingHealth Cyber Attack Group 1: Jiaming We-Le Dixie Wee Kim Shirley
Contents Overview - Organisation profile and Background - Target and Victims - Killchain timeline, Tools and Key Events Problem Identification - Problem statement - Stakeholder Map/SOC Team - As-Is Security Breach scenario with Preliminary Analysis - Pain Points using Empathy Map - Comparison of Ideal SOC vs as-is team NIST Cyber Security Framework - Framework overview - Framework guidelines - Implementation tiers - SOLUTIONS: Cyber resilience lifecycle Conclusion - Swiss Cheese Model for Data Breach - IHIS Action Plan
Overview
Organisation Profile Singapore Health Services (commonly abbreviated as SingHealth) is Singapore's largest group of healthcare institutions. The group was formed in 2000 and consists of four public hospitals, three community hospitals, five national specialty centres and a network of eight polyclinics. The Singapore General Hospital is the largest hospital in the group and serves as the flagship hospital for the cluster.
Between 23 August 2017 and 20 July 2018, a cyber attack (the “Cyber Attack”) of unprecedented scale and sophistication was carried out on the patient database of Singapore Health Services Private Limited (“SingHealth”). The database was illegally accessed and the personal particulars of almost 1.5 million patients, including their names, NRIC numbers, addresses, genders, races, and dates of birth, were exfiltrated over the period of 27 June 2018 to 4 July 2018. Around 160,000 of these 1.5 million patients also had their outpatient dispensed medication records exfiltrated. The Prime Minister’s personal and outpatient medication data was specifically targeted and repeatedly accessed. Hackers did not amend or delete the records. Background
Targets & Victims PM Lee Hsien Loong Other ministers Data stolen included: 1. Names 2. NRIC 3. Addresses 4. Gender 5. Race information 6. Date of birth About 160,000 of these patients also had their outpatient prescriptions stolen. The attackers specifically and repeatedly targeted PM Lee’s personal particulars and information on medication that has been dispensed to him The authorities say a few ministers were also targeted but declined to identify them 1.5 million patients
Killchain Timeline - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 Defender 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network Attacker
Attacker’s Artefacts Malware Remote Access Trojan (RAT) Publicly Available Hacking Tool Usage: Malware was used by the attacker to obtain passwords for privilege escalation and lateral movement. Artefacts: log file from a known malware (Trojan.Vcrodat) containing password credentials of Workstation A user was found. Usage: The Hacking tools is used to regain access if initial implant was removed. It allows remote interaction with mail exchange servers, perform simple brute force attacks on email accounts. Artefacts: Hacking tools (Mimikatz & Termite) was installed on Workstation A by exploiting vulnerability in Microsoft Outlook. The tool was used to download files, masqueraded as .jpeg files containing malicious Powershell scripts. Usage: RAT provided the attacker with the capability to access and control the workstation, to execute shell scripts remotely, upload and download files. Artefacts: RAT (Trojan.Nibatad) was created on Workstation A. Shortly after the installation of the hacking tool. RAT is stealthy by design, or of unique variants that avoided detection by standard anti-malware solutions.
Phishing: Infect with dropper in form of malicious .exe or .dll file that is disguised as a document or image Once opened Trojan.Vcrodat is loaded in the PC (via search order hijacking) Upon execution, Vcrodat loads an encrypted payload onto the victim’s PC. This payload contacts a C&C and sends system information about the infected PC to the C&C server and downloads additional tools. DELIVERY Once the initial PC is infected with Vcrodat, Whitefly begins mapping the network and further infecting PCs using publicly available tools ie. Mimikatz and another open source tool to exploits a known Windows privilege escalation vulnerability on unpatched PCs. Whitefly utilises Open-source hacking tool called Termite ie Hacktool.Rootkit to allow it to perform more complex actions such as control multiple compromised machines at a time. EXPLOITATION INSTALLATION Mimikatz is repeated deployed to obtain credentials on more machines on the network till they gain access to the desired data. ACTION ON OBJECTIVE RECONNAISSANCE WEAPONISATION Target Attack Killchain Analysis WHITEFLY MO: Remain dormant within targeted organization for long periods of time in order to steal large volumes of data. Whitefly configures multiple C&C domains for each target COMMAND & CONTROL
WHITEFLY | MÓFǍNG | 模仿 Mofang is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries. Operation Whitefly ● Trojan.Vcrodat ● Trojan.Nibatad Malware Hacking Tools TTPs ● Hacktool.Rootkit ● Hacktool.Mimikatz ● Spear-phishing ● Multiple C&C domains Reference Links : Thaicert | Reuters | Redalert | Foxit | Symatec |
Medical Records Workstation A Workstation B CITRIX Server 1 @SGH CITRIX Server 2 @SGH CITRIX Server 3 @HDC 4 5a 5b 1 2 6 3 CITRIX Servers Data exfiltration (27 June 2018 – 4 July 2018) Lateral movement & privilege escalation (December 2017 – June 2018) Initial entry (23 August 2017) Data transferred (27 June 2018 – 4 July 2018) Compromised SCM (26 June 2018) Queried SCM Database (27 June 2018 – 4 July 2018) Data transferred (27 June 2018 – 4 July 2018) Healthcare Institution B Healthcare Institution A Internet SCM DB Servers Attacker’s movement to SCM DB Server Flow of data exfiltration Key Events of Cyber Attack
Problem Identification
Problem Identification Challenges to IHiS Should a similar cyber attack happens again, how might it: 1. Enhance its response plan 2. Mitigate or reduce the risk of such attack 3. Better protect its network and systems Despite tell-tale signs of cyber attacks that started in Aug 2017, about 1.5 million patient records were exfiltrated over a period of 8 days (27 June 2018 to 4 July 2018).
Stakeholder Map/SOC Team CEO IHIS MD MOHH CSG IHIS CISO GCIO MOH IOH CSA OPS CERT Team SIRM Security Infrastructure Service Lead Network Application Service Lead End User Management Security Incident Response Team (SIRT)
As-Is Security Breach Scenario : Ben (Profile) Ben, L1 - System Engineer, Security Management Department, IHiS ● One member of the Computer Emergency Response Team (CERT) who has attended an incident response course (“Hacker Tools, Techniques, and Incident Handling” by SANS). ● CERT (three-member) team was setup in Mar 2018. ● CERT team: first responders who are responsible for performing incident analysis to determine the scope and nature of the incident, collect forensic evidence, tracking or tracing the intruder, and providing on-site assistance to help with incident recovery ● Reports to Ernie, Senior Manager, SMD
- DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Killchain Timeline Attacker Defender User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network
As-Is Security Breach Scenario : Ben (1/3) While doing routine checks, alerted of filename of the suspected malware found on PHI 1 workstation. ● PHI 1 Workstation attempts to connect with foreign IP address and an associated URL. (foreign IP address belongs to C2 server of the attacker) ● PHI 1 Workstation sent commands to two other IP addresses in foreign country ● While the file name of the suspected malware was of a legitimate program, the program was not located in the correct file path, but L1 did not notice this irregularity. ● PHI 1 Workstation’s network traffic between all 3 IP addresses was blocked and disconnected from the SingHealth network. ● Workstation was reimaged and files was quarantined, before connecting it to network. ● Workstation was no longer attempting to connect to the foreign IP address. However, commands were still being broadcast to the other two IP addresses ● Contacted outsourced vendor for MSS (Managed Security Services) to continue monitoring suspicious IP addresses and URL. While MSS provider is responsible for receiving alerts, ultimately, assessments of the seriousness of the alerts and consequent remedial actions are squarely within the remit of IHiS’ security staff. ● Domain name of foreign URL was not blocked. 18 Jan 2018 Investigation Actions Taken
As-Is Security Breach Scenario : Ben (2/3) L1 obtained network logs (proxy logs and firewall logs), searched for both proxy logs and firewall logs from 1 to 19 Jan 2018. 19 Jan 2018 (AM) L1 sent an email to the SMD, included L2 Ernie, titled “Hits to IOCs” (‘IOCs’ refer to indicators of compromise), attaching network logs and them told he arranged for scans for hits involving the malicious IPs and URLs. 19 Jan 2018 (PM) L1 analysed process dump of suspicious file identified on the PHI 1 Workstation via online service which analyses suspicious files and facilitates detection of viruses, Trojans, worms and malware. Wrongly trusted online benign result as malware signature was not available publicly at that time, and online check unable to flag it as malicious. Not trained and do not have tool to analyse process dump; only trained in digital and memory forensics 20 Jan 2018 (PM) L1 noticed many instances of access to the foreign IP address. All the successful instances of access were from a single IP address, and involved either a particular SGH userID, or the hostname of SGH workstation A. Workstation A played a significant role in the Cyber Attack. Investigation L1 continued to monitor network traffic to update L2. No further malicious outbound traffic from the PHI 1 Workstation. 22 Jan 2018
User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Attacker Defender Killchain Timeline
As-Is Security Breach Scenario : Ben (3/3) ❖ DBA also alerted Citrix Team on failed login attempts to SCM server and informed L1. Citrix Team explained their log findings to L1: ● Attempts to access SCM database from Citrix Server, on 11 and 12 June 2018; ● Multiple usernames had been used in attempts to login to SCM database; ● Unauthorised access to Citrix Server 1 using L.A. account on multiple occasions since 17 May 2018; L.A. account should only have been used by the Citrix Team. 13 Jun 2018 5 Months later Investigation ● L1 and the Citrix Team investigates into the unauthorised accesses to find physical locations of workstations by pinging them and found they were VM. ● PHI 1 Workstation which had been re-imagined is compromised by malware again. ● L.A. account had a weak password (‘P@ssw0rd’), could easily be decrypted and was found on a batch file in clear-text. Possible attacker accessed this file and obtained the credentials Actions Taken ● L1 realised SCM was being targeted. ● Citrix team emailed L1 and copied CERT, L2 and L3 (Cluster ISO for SingHealth) but Ernie was overseas and did not read email immediately
Ernie- Senior Manager, Security Management Department, IHiS ● SingHealth’s Security Incident Response Manager (SIRM) to Lead and Coordinate IT Security Incident Response, deemed as Subject Matter Expert. ● Security Incident Response Team (SIRT) updates SIRM ● Reports to Assistant Director, Infrastructure Services & SingHealth Cluster Infrastructure Lead As-Is Security Breach Scenario : Ernie (Profile)
As-Is Security Breach Scenario : Ernie Ernie received email from L1. He “glanced” at the logs, saw multiple attempts to communicate with the foreign IP address from one or more workstations in SGH and PHI 1. 19 Jan 2018 Actions Taken No further investigation proactively taken by Ernie to: ● identify owner of the user-ID shown in the logs (i.e. the user of Workstation A); ● identify physical location of Workstation A; ● investigate into the callbacks from Workstation A, including whether it was infected with malware; or ● To block connections to the suspicious IP address from SGH or the rest of the SingHealth network. There is also no indication that there was any follow-up from any other members of the SMD. ● Ernie deemed not a reportable security incident as malware on PHI 1 Workstation contained. ● IR-SOP states that malware infections that have been detected, contained, and cleaned, without network propagation, need not be reported. ● Ernie failed to investigate whether malware had network propagation. ● Ernie did not inform Wee because suspected malware of workstation is very common. ● Ernie did not file Incident Reporting Form (“IRF”) because suspected infections not typically filed. Investigation
Feels ● Alone & stressed ● Uncertain of impact / extent. ● CERT team too lean (i.e. need 24 x 7 strong skilled SOC team, including Threat Hunter) ● Not well versed in procedures/ policies SIRM & CERT Pain Points - Empathy Map Think & Says from Ernie ● I did not report because my focus was on isolating, containing and defending. I was so busy with this that I did not escalate to management about the security incident. ● If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide to them. The moment I report the security incident, the clock will start ticking as per the timelines indicated on the IR-SOP ● Puts a lot of pressure on team - CSA, CSG, MOH, IHiS and SingHealth senior management, GCIO and CISO all want info Does (Moving forward) ● Case Management software to log all investigative updates and track progress. ● Advanced endpoint detection and response (EDR) integrated with analytics/ AI for rapid isolation of infected systems, and collection of forensic evidence from multiple systems at the same time ● Implement ATP with advanced response capabilities
Ideal SOC Team
Existing SERT Team L1 (Threat Analyst) L2 (Triage Analyst) L3 (Threat Hunting) IT SecOps 100% 100% 30% 30% Ben System Engineer, SMD, IHiS Security Ops Manager 45% Ernie SIRM Senior Manager, SMD, IHiS
Building Advanced SOC centre multiple domains People 1. What are skills needed? 2. Personality / attitude of staff 3. Constant upgrading of skills Process 1. Incidents scenarios with responses 2. Entire lifecycle of incidents 3. Processes and continual improvement Technology 1. SIEM architecture and use cases 2. SIEM integrated with Behaviour based analytics, Endpoint detection Response (EDR) 3. Web services to integrate them Governance/metrics 1. Dashboard visibility and oversight 2. Policy, measurements and enforcements 3. Informing stakeholders
NIST Framework IDENTIFY - Organisations PROTECT - Safeguard Business DETECT - Implement Systems RESPOND - Take Action RECOVER - Be Resilient
IDENTIFY NIST FRAMEWORK CORE Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Roles and responsibilities were well established by existing policies but not explicitly communicated, resulting in miscommunication and misinterpretation of Security Threats. Policy on handling Advanced Persistent Threats (APTs) were not in-place during the cyber attack. FY 16 H-Cloud Pen-Test was conducted, however vulnerabilities surfaced NOT prioritised, as several vulnerabilities identified were not handled with urgency. Asset Management Business Environment Governance Risk Assessment Risk Management Strategy
IDENTIFY CYBER RESILIENCE LIFECYCLE Defining a roadmap and action plan to build or improve Organisation’s cyber resilience plan. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● IBM X-Force RED ● IBM Q-Radar ● IBM Advanced Threat (ATP) Protection Feed ● *Solarwind Asset Management & Discovery Technique & Process: ● Cyber Resilience Preliminary Assessment ● Cyber Rapid Risk Readiness Assessment ● Software Defined Network Planning and Assessments ● Critical Data Protection Program ● Program Governance ❖ *Asset discovery tool to automate the asset discovery and management process, as opposed to a physical asset register updated manually Security assessment and review including: ● Asset inventory (includes legacy systems) ● External network ● Internal network ● Wireless network ● Internet ● Firewall ● Host & Server ● Remote access ● Risk assessment ● Pen-Test
PROTECT (1/2) NIST FRAMEWORK CORE Develop and implement appropriate safeguards to ensure delivery of critical services. Identity Management system and process allowing access permission and authorisation are poorly governed and not strictly enforced. Network was also poorly segregated, segmented, and mishandled by untrained staff, allowing attackers to exploit on these vulnerabilities in the attack. Cybersecurity personnels were poorly trained, therefore unable to appreciate and co-relate their findings with tactics, techniques, and procedures (TTP) of Cyber Attacks. Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology SIRT team were unfamiliar with the security policy documents and the need to escalate the matter to CSA
PROTECT (2/2) NIST FRAMEWORK CORE Develop and implement appropriate safeguards to ensure delivery of critical services. **Privileged users had weak understanding of their roles and responsibilities. Absence of APT playbook - Existing SIRT playbook was geared more towards conventional attacks, like ransomware and website defacement. Cybersecurity TT exercises conducted featured APTs as one of the threat scenarios (2016) Gross neglect by IHIS organisation - omission of APTs in their playbook Weak maintenance process. Confirmation of work done is based on a "trust" system. No follow-up process to ensure enforcement of changes. Protective security solutions are in-place but poorly managed, enforced and handled. Outsourced MSS service also lacking in vigilance Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology
PROTECT (1/2) CYBER RESILIENCE LIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Identity Management, Authentication and Access Control: ● To Improve identity management process to verified, revoked, and audited remote access and permission ● A central Public Key Infrastructure (“PKI”) to issue digital certificates to validate connections to IHiS’ network, and support key exchange for encryption purposes. ● Ensure *enforcement of policies to enforce multi-factor authentication amd complex password. Awareness and Training : ● SIRT Team need to be adequately trained and informed of policies. ● Privileged users, Third-party stakeholders, senior executives needs to be educated of their roles and responsibilities in prevention of cyber security incidents
PROTECT (2/2) CYBER RESILIENCE LIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Data Security: ● Network integrity needs to be improved, through network segmentation and segregation of CII assets ● Data-at-rest and in transition need to be adequately protected and encrypted to prevent data leak. ● Assets must be well managed throughout removal, transfers, and disposition. ● Integrity checking mechanism need to be inplace to check hardware, software, firmware, and information integrity. Maintenance: ● Needs to ensure the maintenance work are properly conducted, through a proof of work system as reference. Information Protection Processes and Procedures: ● Although there are several policies in-place, it needs to be better communicated to the SIRT team. ● Need to ensure vulnerability management plan is developed and implemented.
DETECT NIST FRAMEWORK CORE Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Detection system and policies are in placed, however personnels were not trained and equipped to recognise advanced persistent threats (APT). MSS Vendor were being contacted to assist with the monitoring and detection of the cybersecurity events. Security Continuous Monitoring Anomalies and Events Detection Processes Personnel and system were monitored and scanned for vulnerabilities but were unsuccessful in their detection, as malicious code were were stealthy by design and not detected by standard anti-malware solutions. Detection processes via MSS (eg. Anti-Malware/Virus, intrusion detection/prevention systems, SIEM) were in-placed, to successfully detect malicious activities but not the malware. Maintenance of detection tools and follow-up processes were lax; anti-Malware/Virus were not patched; Firewall was down and undetected.
DETECT CYBER RESILIENCE LIFECYCLE Detecting unknown threats with advanced analytics. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Managed X-Force Detection ● X-Force Command Centers ● Resiliency Orchestration with Cyber Incident Recovery – provides dashboard monitoring of Cyber Incident, Recovery Time (RTO), and Recovery Point Objectives (RPO) Technique & Process: ● Active Threat Assessment ● Whistleblowing policy AI helps to flag out Anomalies and Events: ● Detected events are analyzed to understand attack targets and methods ● Event data are collected and correlated from multiple sources and sensors ● Establish Incident alert thresholds Continuous 24 X 7 Monitoring by a strong and knowledgeable SOC team: ● Proactive monitoring, including suspicious activities or incident. Detection processes and procedures are maintained and tested to ensure awareness of anomalous events: ● Improve maintenance of detection tools via ensuring updates. ● Procedures and procedures are well communicated and briefed to staff ● Shared Management dashboard that covers not only security incidents which were responded to and reported visible all the way up to the organisation’s CEO and be reviewed periodically.
RESPOND NIST FRAMEWORK CORE Develop and implement appropriate activities to take action regarding a detected cybersecurity incident Response plan and policies was not well communicated to the SIRT team. However, necessary measures were taken to limit damage during and after the Cyber attack. Roles and order of operations is well defined in the SIRT Team. Information on the incident was reported and shared within the SIRT Team to limit the incident, and subsequently to the public and external stakeholders to promote broader cybersecurity awareness. However, failure to recognise the early warning signs of the threat delayed the communication process. The delay in detection and communication process, in-turn delayed the forensic Investigation in identifying the impact and nature of the attack APT). Communications Response Planning Analysis Mitigation Improvements Recommendation surface from Annual Pen-Test/GIA audit/table top exercises were not heeded and incorporated into responds plan.
RESPOND CYBER RESILIENCE LIFECYCLE Responding effectively to cyber outbreak. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● X-Force Threat Management Response ● Initiate Backup as a Service and Disaster Recovery as a Service for data and production recovery Technique & Process: ● Recovery notification workflow automation ● Dynamically managed infrastructure IHIS Security Incident Response Team (SIRT) preparation: ● SOC team should be trained in all kinds of malicious attacks (including ATP), aware of what are strategies and procedures to apply in response to such attack. ● SOC team need to know who are stakeholders they need to report to, ● SOC team able to have a single consolidated view to do their analysis and forensics.
RECOVER NIST FRAMEWORK CORE Develop and implement activities to maintain plans for resilience and to restore any capabilities or services that were impaired by the incident Recovery plan was eventually executed to mitigate attack, and prevent further data breach and data theft. IHIS have since taken a series of measure to strengthen it’s cybersecurity, Incorporating lesson learned from this incident. Public fallout was being minimised, as there was a public enquiry into the failings, in part due to Singaporean’s confidence in government's handling of the situation. Improvements Recovery Planning Communications
RECOVER CYBER RESILIENCE LIFECYCLE Recovering access to critical data and applications. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Resiliency Orchestration with Cyber Incident Recovery ● Backup as a Service ● Disaster Recovery as a Service Technique & Process: ● MultiNetwork WAN (MWS) – dynamically reallocate bandwidth to support recovery IHIS Security Incident Response Team (SIRT) preparation: ● SOC team and relevant IT staff are aware of recovery procedures and plan ● Recovery plans incorporate lessons learnt ● Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
Implementation Tiers - Cybersecurity professionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE ? ? ? ?
Implementation Tiers - Cybersecurity professionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE TARGET - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE IDEAL CURRENT 1.5
Conclusion
Swiss Cheese Model for Data Breach LF AF LF Organisation influence Inadequate security defences LF Precursors of unsafe data handling Unsafe act of data handling Trajectory of data breach opportunity AF: Active Failure LF: Latent Failure
Thank you for Listening For more information, please visit 1. Inquiry into Singhealth Cyber attack: Report of the coi into the cyber attack on SingHealth - 10 Jan 2019 2. MoFang / Whitefly’s Profile on ThaiCert Website: Whitefly/MoFang | APT Profile 3. Foxit’s Threat report on MoFang: MoFang threat report 4. SingHealth Malware Analysis by RedAlert: Singapore custom malware analysis 5. CSA Whistleblowing channel: https://www.csa.gov.sg/legislation/whistleblowing
Q & A
Thank you for being great classmates All the best for your future endeavours
Jia Ming Very IT savvy and willing to share and help his other team mates Jiaming is a very good team player and humble leader of projects, always going the extra mile to ensure concepts are understood across the board, extremely meticulous with slide formatting due to his background in media. He is also organised and is able to share concepts fluidly. Very meticulous Organised Knowledgeable Good aesthetics (designer)
Wee Kim Patient and always acknowledge other less IT savvy’s team mates perspective despite her IT expertise. She is very good at explaining IT concepts in a simple term Her experience in IT helped the group a lot. Invaluable expertise and steered us in the correct direction Very knowledgeable and calm, able to help less IT savvy members grasp concepts. Also due to her previous work experience in IT, she is able to also shed light in the actual work processes to help us understand the actual situation on the ground.
Very detailed oriented. Asking crucial questions to advance project development. Shirley Extremely Diligent and put in extra effort in her own time Her perseverance is admirable and contributed in spite of being ill Very conscientious in making sure images in powerpoint are of clear quality Shirley is meticulous, always ensuring that our presentations are of high quality, even re-typing/re-making diagrams to ensure crispness of resolution and also ease of reading. She’s also very considerate, always making sure we have our meals before resuming project.
We-Le He showed us an owl photo He cares for his team mates well being Provided vital IHIS related resources and document for team’s reference. Good team player who helped us search for additional resources We-Le provides level-headed feedback to the projects and is always around to share expertise from his previous industry.
Dixie Highly energetic, her enthusiasm helped us to go through this gruelling process! Translate complex technical concepts to digestible content. Always cheerful and brightens the group meetings Gave constructive ideas. Thumbs up. Fast reader / Helped to speed read the massive report

Recommended

Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportBenjamin Ang
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabricANSItunCERT
 
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...APNIC
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 

Recommended

Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportBenjamin Ang
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabricANSItunCERT
 
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...APNIC
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsUtpal Sinha
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate TrainingNCS Computech Ltd.
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Cisco DCACI
Cisco DCACICisco DCACI
Cisco DCACIabdelilahBoumendil
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
ICS CERT- Incidence Reports
ICS CERT- Incidence ReportsICS CERT- Incidence Reports
ICS CERT- Incidence ReportsDr Dev Kambhampati
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 

More Related Content

What's hot

Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsUtpal Sinha
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentInfocyte
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint ProtectionSophos
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 

What's hot (20)

Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methods
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
 
Endpoint Protection
Endpoint ProtectionEndpoint Protection
Endpoint Protection
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Cisco DCACI
Cisco DCACICisco DCACI
Cisco DCACI
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 

Similar to SingHealth Cyber Attack (project)

Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalPriyanka Aash
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggonermihinpr
 
Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Roy Ramkrishna
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hackingijtsrd
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to securityMukesh Chinta
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2Ivanti
 

Similar to SingHealth Cyber Attack (project) (20)

ICS CERT- Incidence Reports
ICS CERT- Incidence ReportsICS CERT- Incidence Reports
ICS CERT- Incidence Reports
 
Adjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New NormalAdjusting Your Security Controls: It’s the New Normal
Adjusting Your Security Controls: It’s the New Normal
 
Cyber Threats
Cyber ThreatsCyber Threats
Cyber Threats
 
Panel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie WaggonerPanel Cyber Security and Privacy without Carrie Waggoner
Panel Cyber Security and Privacy without Carrie Waggoner
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2Ivanti threat thursday deck october v2
Ivanti threat thursday deck october v2
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

SingHealth Cyber Attack (project)

  • 1. SingHealth Cyber Attack Group 1: Jiaming We-Le Dixie Wee Kim Shirley
  • 2. Contents Overview - Organisation profile and Background - Target and Victims - Killchain timeline, Tools and Key Events Problem Identification - Problem statement - Stakeholder Map/SOC Team - As-Is Security Breach scenario with Preliminary Analysis - Pain Points using Empathy Map - Comparison of Ideal SOC vs as-is team NIST Cyber Security Framework - Framework overview - Framework guidelines - Implementation tiers - SOLUTIONS: Cyber resilience lifecycle Conclusion - Swiss Cheese Model for Data Breach - IHIS Action Plan
  • 4. Organisation Profile Singapore Health Services (commonly abbreviated as SingHealth) is Singapore's largest group of healthcare institutions. The group was formed in 2000 and consists of four public hospitals, three community hospitals, five national specialty centres and a network of eight polyclinics. The Singapore General Hospital is the largest hospital in the group and serves as the flagship hospital for the cluster.
  • 5. Between 23 August 2017 and 20 July 2018, a cyber attack (the “Cyber Attack”) of unprecedented scale and sophistication was carried out on the patient database of Singapore Health Services Private Limited (“SingHealth”). The database was illegally accessed and the personal particulars of almost 1.5 million patients, including their names, NRIC numbers, addresses, genders, races, and dates of birth, were exfiltrated over the period of 27 June 2018 to 4 July 2018. Around 160,000 of these 1.5 million patients also had their outpatient dispensed medication records exfiltrated. The Prime Minister’s personal and outpatient medication data was specifically targeted and repeatedly accessed. Hackers did not amend or delete the records. Background
  • 6. Targets & Victims PM Lee Hsien Loong Other ministers Data stolen included: 1. Names 2. NRIC 3. Addresses 4. Gender 5. Race information 6. Date of birth About 160,000 of these patients also had their outpatient prescriptions stolen. The attackers specifically and repeatedly targeted PM Lee’s personal particulars and information on medication that has been dispensed to him The authorities say a few ministers were also targeted but declined to identify them 1.5 million patients
  • 7. Killchain Timeline - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 Defender 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network Attacker
  • 8. Attacker’s Artefacts Malware Remote Access Trojan (RAT) Publicly Available Hacking Tool Usage: Malware was used by the attacker to obtain passwords for privilege escalation and lateral movement. Artefacts: log file from a known malware (Trojan.Vcrodat) containing password credentials of Workstation A user was found. Usage: The Hacking tools is used to regain access if initial implant was removed. It allows remote interaction with mail exchange servers, perform simple brute force attacks on email accounts. Artefacts: Hacking tools (Mimikatz & Termite) was installed on Workstation A by exploiting vulnerability in Microsoft Outlook. The tool was used to download files, masqueraded as .jpeg files containing malicious Powershell scripts. Usage: RAT provided the attacker with the capability to access and control the workstation, to execute shell scripts remotely, upload and download files. Artefacts: RAT (Trojan.Nibatad) was created on Workstation A. Shortly after the installation of the hacking tool. RAT is stealthy by design, or of unique variants that avoided detection by standard anti-malware solutions.
  • 9. Phishing: Infect with dropper in form of malicious .exe or .dll file that is disguised as a document or image Once opened Trojan.Vcrodat is loaded in the PC (via search order hijacking) Upon execution, Vcrodat loads an encrypted payload onto the victim’s PC. This payload contacts a C&C and sends system information about the infected PC to the C&C server and downloads additional tools. DELIVERY Once the initial PC is infected with Vcrodat, Whitefly begins mapping the network and further infecting PCs using publicly available tools ie. Mimikatz and another open source tool to exploits a known Windows privilege escalation vulnerability on unpatched PCs. Whitefly utilises Open-source hacking tool called Termite ie Hacktool.Rootkit to allow it to perform more complex actions such as control multiple compromised machines at a time. EXPLOITATION INSTALLATION Mimikatz is repeated deployed to obtain credentials on more machines on the network till they gain access to the desired data. ACTION ON OBJECTIVE RECONNAISSANCE WEAPONISATION Target Attack Killchain Analysis WHITEFLY MO: Remain dormant within targeted organization for long periods of time in order to steal large volumes of data. Whitefly configures multiple C&C domains for each target COMMAND & CONTROL
  • 10. WHITEFLY | MÓFǍNG | 模仿 Mofang is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries. Operation Whitefly ● Trojan.Vcrodat ● Trojan.Nibatad Malware Hacking Tools TTPs ● Hacktool.Rootkit ● Hacktool.Mimikatz ● Spear-phishing ● Multiple C&C domains Reference Links : Thaicert | Reuters | Redalert | Foxit | Symatec |
  • 11. Medical Records Workstation A Workstation B CITRIX Server 1 @SGH CITRIX Server 2 @SGH CITRIX Server 3 @HDC 4 5a 5b 1 2 6 3 CITRIX Servers Data exfiltration (27 June 2018 – 4 July 2018) Lateral movement & privilege escalation (December 2017 – June 2018) Initial entry (23 August 2017) Data transferred (27 June 2018 – 4 July 2018) Compromised SCM (26 June 2018) Queried SCM Database (27 June 2018 – 4 July 2018) Data transferred (27 June 2018 – 4 July 2018) Healthcare Institution B Healthcare Institution A Internet SCM DB Servers Attacker’s movement to SCM DB Server Flow of data exfiltration Key Events of Cyber Attack
  • 13. Problem Identification Challenges to IHiS Should a similar cyber attack happens again, how might it: 1. Enhance its response plan 2. Mitigate or reduce the risk of such attack 3. Better protect its network and systems Despite tell-tale signs of cyber attacks that started in Aug 2017, about 1.5 million patient records were exfiltrated over a period of 8 days (27 June 2018 to 4 July 2018).
  • 14. Stakeholder Map/SOC Team CEO IHIS MD MOHH CSG IHIS CISO GCIO MOH IOH CSA OPS CERT Team SIRM Security Infrastructure Service Lead Network Application Service Lead End User Management Security Incident Response Team (SIRT)
  • 15. As-Is Security Breach Scenario : Ben (Profile) Ben, L1 - System Engineer, Security Management Department, IHiS ● One member of the Computer Emergency Response Team (CERT) who has attended an incident response course (“Hacker Tools, Techniques, and Incident Handling” by SANS). ● CERT (three-member) team was setup in Mar 2018. ● CERT team: first responders who are responsible for performing incident analysis to determine the scope and nature of the incident, collect forensic evidence, tracking or tracing the intruder, and providing on-site assistance to help with incident recovery ● Reports to Ernie, Senior Manager, SMD
  • 16. - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Killchain Timeline Attacker Defender User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network
  • 17. As-Is Security Breach Scenario : Ben (1/3) While doing routine checks, alerted of filename of the suspected malware found on PHI 1 workstation. ● PHI 1 Workstation attempts to connect with foreign IP address and an associated URL. (foreign IP address belongs to C2 server of the attacker) ● PHI 1 Workstation sent commands to two other IP addresses in foreign country ● While the file name of the suspected malware was of a legitimate program, the program was not located in the correct file path, but L1 did not notice this irregularity. ● PHI 1 Workstation’s network traffic between all 3 IP addresses was blocked and disconnected from the SingHealth network. ● Workstation was reimaged and files was quarantined, before connecting it to network. ● Workstation was no longer attempting to connect to the foreign IP address. However, commands were still being broadcast to the other two IP addresses ● Contacted outsourced vendor for MSS (Managed Security Services) to continue monitoring suspicious IP addresses and URL. While MSS provider is responsible for receiving alerts, ultimately, assessments of the seriousness of the alerts and consequent remedial actions are squarely within the remit of IHiS’ security staff. ● Domain name of foreign URL was not blocked. 18 Jan 2018 Investigation Actions Taken
  • 18. As-Is Security Breach Scenario : Ben (2/3) L1 obtained network logs (proxy logs and firewall logs), searched for both proxy logs and firewall logs from 1 to 19 Jan 2018. 19 Jan 2018 (AM) L1 sent an email to the SMD, included L2 Ernie, titled “Hits to IOCs” (‘IOCs’ refer to indicators of compromise), attaching network logs and them told he arranged for scans for hits involving the malicious IPs and URLs. 19 Jan 2018 (PM) L1 analysed process dump of suspicious file identified on the PHI 1 Workstation via online service which analyses suspicious files and facilitates detection of viruses, Trojans, worms and malware. Wrongly trusted online benign result as malware signature was not available publicly at that time, and online check unable to flag it as malicious. Not trained and do not have tool to analyse process dump; only trained in digital and memory forensics 20 Jan 2018 (PM) L1 noticed many instances of access to the foreign IP address. All the successful instances of access were from a single IP address, and involved either a particular SGH userID, or the hostname of SGH workstation A. Workstation A played a significant role in the Cyber Attack. Investigation L1 continued to monitor network traffic to update L2. No further malicious outbound traffic from the PHI 1 Workstation. 22 Jan 2018
  • 19. User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Attacker Defender Killchain Timeline
  • 20. As-Is Security Breach Scenario : Ben (3/3) ❖ DBA also alerted Citrix Team on failed login attempts to SCM server and informed L1. Citrix Team explained their log findings to L1: ● Attempts to access SCM database from Citrix Server, on 11 and 12 June 2018; ● Multiple usernames had been used in attempts to login to SCM database; ● Unauthorised access to Citrix Server 1 using L.A. account on multiple occasions since 17 May 2018; L.A. account should only have been used by the Citrix Team. 13 Jun 2018 5 Months later Investigation ● L1 and the Citrix Team investigates into the unauthorised accesses to find physical locations of workstations by pinging them and found they were VM. ● PHI 1 Workstation which had been re-imagined is compromised by malware again. ● L.A. account had a weak password (‘P@ssw0rd’), could easily be decrypted and was found on a batch file in clear-text. Possible attacker accessed this file and obtained the credentials Actions Taken ● L1 realised SCM was being targeted. ● Citrix team emailed L1 and copied CERT, L2 and L3 (Cluster ISO for SingHealth) but Ernie was overseas and did not read email immediately
  • 21. Ernie- Senior Manager, Security Management Department, IHiS ● SingHealth’s Security Incident Response Manager (SIRM) to Lead and Coordinate IT Security Incident Response, deemed as Subject Matter Expert. ● Security Incident Response Team (SIRT) updates SIRM ● Reports to Assistant Director, Infrastructure Services & SingHealth Cluster Infrastructure Lead As-Is Security Breach Scenario : Ernie (Profile)
  • 22. As-Is Security Breach Scenario : Ernie Ernie received email from L1. He “glanced” at the logs, saw multiple attempts to communicate with the foreign IP address from one or more workstations in SGH and PHI 1. 19 Jan 2018 Actions Taken No further investigation proactively taken by Ernie to: ● identify owner of the user-ID shown in the logs (i.e. the user of Workstation A); ● identify physical location of Workstation A; ● investigate into the callbacks from Workstation A, including whether it was infected with malware; or ● To block connections to the suspicious IP address from SGH or the rest of the SingHealth network. There is also no indication that there was any follow-up from any other members of the SMD. ● Ernie deemed not a reportable security incident as malware on PHI 1 Workstation contained. ● IR-SOP states that malware infections that have been detected, contained, and cleaned, without network propagation, need not be reported. ● Ernie failed to investigate whether malware had network propagation. ● Ernie did not inform Wee because suspected malware of workstation is very common. ● Ernie did not file Incident Reporting Form (“IRF”) because suspected infections not typically filed. Investigation
  • 23. Feels ● Alone & stressed ● Uncertain of impact / extent. ● CERT team too lean (i.e. need 24 x 7 strong skilled SOC team, including Threat Hunter) ● Not well versed in procedures/ policies SIRM & CERT Pain Points - Empathy Map Think & Says from Ernie ● I did not report because my focus was on isolating, containing and defending. I was so busy with this that I did not escalate to management about the security incident. ● If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide to them. The moment I report the security incident, the clock will start ticking as per the timelines indicated on the IR-SOP ● Puts a lot of pressure on team - CSA, CSG, MOH, IHiS and SingHealth senior management, GCIO and CISO all want info Does (Moving forward) ● Case Management software to log all investigative updates and track progress. ● Advanced endpoint detection and response (EDR) integrated with analytics/ AI for rapid isolation of infected systems, and collection of forensic evidence from multiple systems at the same time ● Implement ATP with advanced response capabilities
  • 25. Existing SERT Team L1 (Threat Analyst) L2 (Triage Analyst) L3 (Threat Hunting) IT SecOps 100% 100% 30% 30% Ben System Engineer, SMD, IHiS Security Ops Manager 45% Ernie SIRM Senior Manager, SMD, IHiS
  • 26. Building Advanced SOC centre multiple domains People 1. What are skills needed? 2. Personality / attitude of staff 3. Constant upgrading of skills Process 1. Incidents scenarios with responses 2. Entire lifecycle of incidents 3. Processes and continual improvement Technology 1. SIEM architecture and use cases 2. SIEM integrated with Behaviour based analytics, Endpoint detection Response (EDR) 3. Web services to integrate them Governance/metrics 1. Dashboard visibility and oversight 2. Policy, measurements and enforcements 3. Informing stakeholders
  • 27. NIST Framework IDENTIFY - Organisations PROTECT - Safeguard Business DETECT - Implement Systems RESPOND - Take Action RECOVER - Be Resilient
  • 28. IDENTIFY NIST FRAMEWORK CORE Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Roles and responsibilities were well established by existing policies but not explicitly communicated, resulting in miscommunication and misinterpretation of Security Threats. Policy on handling Advanced Persistent Threats (APTs) were not in-place during the cyber attack. FY 16 H-Cloud Pen-Test was conducted, however vulnerabilities surfaced NOT prioritised, as several vulnerabilities identified were not handled with urgency. Asset Management Business Environment Governance Risk Assessment Risk Management Strategy
  • 29. IDENTIFY CYBER RESILIENCE LIFECYCLE Defining a roadmap and action plan to build or improve Organisation’s cyber resilience plan. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● IBM X-Force RED ● IBM Q-Radar ● IBM Advanced Threat (ATP) Protection Feed ● *Solarwind Asset Management & Discovery Technique & Process: ● Cyber Resilience Preliminary Assessment ● Cyber Rapid Risk Readiness Assessment ● Software Defined Network Planning and Assessments ● Critical Data Protection Program ● Program Governance ❖ *Asset discovery tool to automate the asset discovery and management process, as opposed to a physical asset register updated manually Security assessment and review including: ● Asset inventory (includes legacy systems) ● External network ● Internal network ● Wireless network ● Internet ● Firewall ● Host & Server ● Remote access ● Risk assessment ● Pen-Test
  • 30. PROTECT (1/2) NIST FRAMEWORK CORE Develop and implement appropriate safeguards to ensure delivery of critical services. Identity Management system and process allowing access permission and authorisation are poorly governed and not strictly enforced. Network was also poorly segregated, segmented, and mishandled by untrained staff, allowing attackers to exploit on these vulnerabilities in the attack. Cybersecurity personnels were poorly trained, therefore unable to appreciate and co-relate their findings with tactics, techniques, and procedures (TTP) of Cyber Attacks. Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology SIRT team were unfamiliar with the security policy documents and the need to escalate the matter to CSA
  • 31. PROTECT (2/2) NIST FRAMEWORK CORE Develop and implement appropriate safeguards to ensure delivery of critical services. **Privileged users had weak understanding of their roles and responsibilities. Absence of APT playbook - Existing SIRT playbook was geared more towards conventional attacks, like ransomware and website defacement. Cybersecurity TT exercises conducted featured APTs as one of the threat scenarios (2016) Gross neglect by IHIS organisation - omission of APTs in their playbook Weak maintenance process. Confirmation of work done is based on a "trust" system. No follow-up process to ensure enforcement of changes. Protective security solutions are in-place but poorly managed, enforced and handled. Outsourced MSS service also lacking in vigilance Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology
  • 32. PROTECT (1/2) CYBER RESILIENCE LIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Identity Management, Authentication and Access Control: ● To Improve identity management process to verified, revoked, and audited remote access and permission ● A central Public Key Infrastructure (“PKI”) to issue digital certificates to validate connections to IHiS’ network, and support key exchange for encryption purposes. ● Ensure *enforcement of policies to enforce multi-factor authentication amd complex password. Awareness and Training : ● SIRT Team need to be adequately trained and informed of policies. ● Privileged users, Third-party stakeholders, senior executives needs to be educated of their roles and responsibilities in prevention of cyber security incidents
  • 33. PROTECT (2/2) CYBER RESILIENCE LIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Data Security: ● Network integrity needs to be improved, through network segmentation and segregation of CII assets ● Data-at-rest and in transition need to be adequately protected and encrypted to prevent data leak. ● Assets must be well managed throughout removal, transfers, and disposition. ● Integrity checking mechanism need to be inplace to check hardware, software, firmware, and information integrity. Maintenance: ● Needs to ensure the maintenance work are properly conducted, through a proof of work system as reference. Information Protection Processes and Procedures: ● Although there are several policies in-place, it needs to be better communicated to the SIRT team. ● Need to ensure vulnerability management plan is developed and implemented.
  • 34. DETECT NIST FRAMEWORK CORE Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Detection system and policies are in placed, however personnels were not trained and equipped to recognise advanced persistent threats (APT). MSS Vendor were being contacted to assist with the monitoring and detection of the cybersecurity events. Security Continuous Monitoring Anomalies and Events Detection Processes Personnel and system were monitored and scanned for vulnerabilities but were unsuccessful in their detection, as malicious code were were stealthy by design and not detected by standard anti-malware solutions. Detection processes via MSS (eg. Anti-Malware/Virus, intrusion detection/prevention systems, SIEM) were in-placed, to successfully detect malicious activities but not the malware. Maintenance of detection tools and follow-up processes were lax; anti-Malware/Virus were not patched; Firewall was down and undetected.
  • 35. DETECT CYBER RESILIENCE LIFECYCLE Detecting unknown threats with advanced analytics. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Managed X-Force Detection ● X-Force Command Centers ● Resiliency Orchestration with Cyber Incident Recovery – provides dashboard monitoring of Cyber Incident, Recovery Time (RTO), and Recovery Point Objectives (RPO) Technique & Process: ● Active Threat Assessment ● Whistleblowing policy AI helps to flag out Anomalies and Events: ● Detected events are analyzed to understand attack targets and methods ● Event data are collected and correlated from multiple sources and sensors ● Establish Incident alert thresholds Continuous 24 X 7 Monitoring by a strong and knowledgeable SOC team: ● Proactive monitoring, including suspicious activities or incident. Detection processes and procedures are maintained and tested to ensure awareness of anomalous events: ● Improve maintenance of detection tools via ensuring updates. ● Procedures and procedures are well communicated and briefed to staff ● Shared Management dashboard that covers not only security incidents which were responded to and reported visible all the way up to the organisation’s CEO and be reviewed periodically.
  • 36. RESPOND NIST FRAMEWORK CORE Develop and implement appropriate activities to take action regarding a detected cybersecurity incident Response plan and policies was not well communicated to the SIRT team. However, necessary measures were taken to limit damage during and after the Cyber attack. Roles and order of operations is well defined in the SIRT Team. Information on the incident was reported and shared within the SIRT Team to limit the incident, and subsequently to the public and external stakeholders to promote broader cybersecurity awareness. However, failure to recognise the early warning signs of the threat delayed the communication process. The delay in detection and communication process, in-turn delayed the forensic Investigation in identifying the impact and nature of the attack APT). Communications Response Planning Analysis Mitigation Improvements Recommendation surface from Annual Pen-Test/GIA audit/table top exercises were not heeded and incorporated into responds plan.
  • 37. RESPOND CYBER RESILIENCE LIFECYCLE Responding effectively to cyber outbreak. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● X-Force Threat Management Response ● Initiate Backup as a Service and Disaster Recovery as a Service for data and production recovery Technique & Process: ● Recovery notification workflow automation ● Dynamically managed infrastructure IHIS Security Incident Response Team (SIRT) preparation: ● SOC team should be trained in all kinds of malicious attacks (including ATP), aware of what are strategies and procedures to apply in response to such attack. ● SOC team need to know who are stakeholders they need to report to, ● SOC team able to have a single consolidated view to do their analysis and forensics.
  • 38. RECOVER NIST FRAMEWORK CORE Develop and implement activities to maintain plans for resilience and to restore any capabilities or services that were impaired by the incident Recovery plan was eventually executed to mitigate attack, and prevent further data breach and data theft. IHIS have since taken a series of measure to strengthen it’s cybersecurity, Incorporating lesson learned from this incident. Public fallout was being minimised, as there was a public enquiry into the failings, in part due to Singaporean’s confidence in government's handling of the situation. Improvements Recovery Planning Communications
  • 39. RECOVER CYBER RESILIENCE LIFECYCLE Recovering access to critical data and applications. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Resiliency Orchestration with Cyber Incident Recovery ● Backup as a Service ● Disaster Recovery as a Service Technique & Process: ● MultiNetwork WAN (MWS) – dynamically reallocate bandwidth to support recovery IHIS Security Incident Response Team (SIRT) preparation: ● SOC team and relevant IT staff are aware of recovery procedures and plan ● Recovery plans incorporate lessons learnt ● Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
  • 40. Implementation Tiers - Cybersecurity professionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE ? ? ? ?
  • 41. Implementation Tiers - Cybersecurity professionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE TARGET - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE IDEAL CURRENT 1.5
  • 43.
  • 44.
  • 45. Swiss Cheese Model for Data Breach LF AF LF Organisation influence Inadequate security defences LF Precursors of unsafe data handling Unsafe act of data handling Trajectory of data breach opportunity AF: Active Failure LF: Latent Failure
  • 46. Thank you for Listening For more information, please visit 1. Inquiry into Singhealth Cyber attack: Report of the coi into the cyber attack on SingHealth - 10 Jan 2019 2. MoFang / Whitefly’s Profile on ThaiCert Website: Whitefly/MoFang | APT Profile 3. Foxit’s Threat report on MoFang: MoFang threat report 4. SingHealth Malware Analysis by RedAlert: Singapore custom malware analysis 5. CSA Whistleblowing channel: https://www.csa.gov.sg/legislation/whistleblowing
  • 47. Q & A
  • 48. Thank you for being great classmates All the best for your future endeavours
  • 49. Jia Ming Very IT savvy and willing to share and help his other team mates Jiaming is a very good team player and humble leader of projects, always going the extra mile to ensure concepts are understood across the board, extremely meticulous with slide formatting due to his background in media. He is also organised and is able to share concepts fluidly. Very meticulous Organised Knowledgeable Good aesthetics (designer)
  • 50. Wee Kim Patient and always acknowledge other less IT savvy’s team mates perspective despite her IT expertise. She is very good at explaining IT concepts in a simple term Her experience in IT helped the group a lot. Invaluable expertise and steered us in the correct direction Very knowledgeable and calm, able to help less IT savvy members grasp concepts. Also due to her previous work experience in IT, she is able to also shed light in the actual work processes to help us understand the actual situation on the ground.
  • 51. Very detailed oriented. Asking crucial questions to advance project development. Shirley Extremely Diligent and put in extra effort in her own time Her perseverance is admirable and contributed in spite of being ill Very conscientious in making sure images in powerpoint are of clear quality Shirley is meticulous, always ensuring that our presentations are of high quality, even re-typing/re-making diagrams to ensure crispness of resolution and also ease of reading. She’s also very considerate, always making sure we have our meals before resuming project.
  • 52. We-Le He showed us an owl photo He cares for his team mates well being Provided vital IHIS related resources and document for team’s reference. Good team player who helped us search for additional resources We-Le provides level-headed feedback to the projects and is always around to share expertise from his previous industry.
  • 53. Dixie Highly energetic, her enthusiasm helped us to go through this gruelling process! Translate complex technical concepts to digestible content. Always cheerful and brightens the group meetings Gave constructive ideas. Thumbs up. Fast reader / Helped to speed read the massive report