JN
Uploaded byJames Neo
PDF, PPTX1,792 views

SingHealth Cyber Attack (project)

The document details a sophisticated cyber attack on Singapore Health Services (SingHealth) that occurred from June to July 2018, during which the personal information of 1.5 million patients was unlawfully accessed and exfiltrated. The report outlines the timeline of the attack, the tools and techniques used by hackers, including phishing and malware, and discusses the vulnerabilities in SingHealth's security response. It also highlights recommendations for improving cyber resilience and incident management within the organization's security operations center (SOC).

Technology
Related topics:
Cyber Attack

Embed presentation

Download as PDF, PPTX
SingHealth Cyber Attack Group 1: Jiaming We-Le Dixie Wee Kim Shirley
Contents Overview - Organisation profile and Background - Target and Victims - Killchain timeline, Tools and Key Events Problem Identification - Problem statement - Stakeholder Map/SOC Team - As-Is Security Breach scenario with Preliminary Analysis - Pain Points using Empathy Map - Comparison of Ideal SOC vs as-is team NIST Cyber Security Framework - Framework overview - Framework guidelines - Implementation tiers - SOLUTIONS: Cyber resilience lifecycle Conclusion - Swiss Cheese Model for Data Breach - IHIS Action Plan
Overview
Organisation Profile Singapore Health Services (commonly abbreviated as SingHealth) is Singapore's largest group of healthcare institutions. The group was formed in 2000 and consists of four public hospitals, three community hospitals, five national specialty centres and a network of eight polyclinics. The Singapore General Hospital is the largest hospital in the group and serves as the flagship hospital for the cluster.
Between 23 August 2017 and 20 July 2018, a cyber attack (the “Cyber Attack”) of unprecedented scale and sophistication was carried out on the patient database of Singapore Health Services Private Limited (“SingHealth”). The database was illegally accessed and the personal particulars of almost 1.5 million patients, including their names, NRIC numbers, addresses, genders, races, and dates of birth, were exfiltrated over the period of 27 June 2018 to 4 July 2018. Around 160,000 of these 1.5 million patients also had their outpatient dispensed medication records exfiltrated. The Prime Minister’s personal and outpatient medication data was specifically targeted and repeatedly accessed. Hackers did not amend or delete the records. Background
Targets & Victims PM Lee Hsien Loong Other ministers Data stolen included: 1. Names 2. NRIC 3. Addresses 4. Gender 5. Race information 6. Date of birth About 160,000 of these patients also had their outpatient prescriptions stolen. The attackers specifically and repeatedly targeted PM Lee’s personal particulars and information on medication that has been dispensed to him The authorities say a few ministers were also targeted but declined to identify them 1.5 million patients
Killchain Timeline - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 Defender 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network Attacker
Attacker’s Artefacts Malware Remote Access Trojan (RAT) Publicly Available Hacking Tool Usage: Malware was used by the attacker to obtain passwords for privilege escalation and lateral movement. Artefacts: log file from a known malware (Trojan.Vcrodat) containing password credentials of Workstation A user was found. Usage: The Hacking tools is used to regain access if initial implant was removed. It allows remote interaction with mail exchange servers, perform simple brute force attacks on email accounts. Artefacts: Hacking tools (Mimikatz & Termite) was installed on Workstation A by exploiting vulnerability in Microsoft Outlook. The tool was used to download files, masqueraded as .jpeg files containing malicious Powershell scripts. Usage: RAT provided the attacker with the capability to access and control the workstation, to execute shell scripts remotely, upload and download files. Artefacts: RAT (Trojan.Nibatad) was created on Workstation A. Shortly after the installation of the hacking tool. RAT is stealthy by design, or of unique variants that avoided detection by standard anti-malware solutions.
Phishing: Infect with dropper in form of malicious .exe or .dll file that is disguised as a document or image Once opened Trojan.Vcrodat is loaded in the PC (via search order hijacking) Upon execution, Vcrodat loads an encrypted payload onto the victim’s PC. This payload contacts a C&C and sends system information about the infected PC to the C&C server and downloads additional tools. DELIVERY Once the initial PC is infected with Vcrodat, Whitefly begins mapping the network and further infecting PCs using publicly available tools ie. Mimikatz and another open source tool to exploits a known Windows privilege escalation vulnerability on unpatched PCs. Whitefly utilises Open-source hacking tool called Termite ie Hacktool.Rootkit to allow it to perform more complex actions such as control multiple compromised machines at a time. EXPLOITATION INSTALLATION Mimikatz is repeated deployed to obtain credentials on more machines on the network till they gain access to the desired data. ACTION ON OBJECTIVE RECONNAISSANCE WEAPONISATION Target Attack Killchain Analysis WHITEFLY MO: Remain dormant within targeted organization for long periods of time in order to steal large volumes of data. Whitefly configures multiple C&C domains for each target COMMAND & CONTROL
WHITEFLY | MÓFǍNG | 模仿 Mofang is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries. Operation Whitefly ● Trojan.Vcrodat ● Trojan.Nibatad Malware Hacking Tools TTPs ● Hacktool.Rootkit ● Hacktool.Mimikatz ● Spear-phishing ● Multiple C&C domains Reference Links : Thaicert | Reuters | Redalert | Foxit | Symatec |
Medical Records Workstation A Workstation B CITRIX Server 1 @SGH CITRIX Server 2 @SGH CITRIX Server 3 @HDC 4 5a 5b 1 2 6 3 CITRIX Servers Data exfiltration (27 June 2018 – 4 July 2018) Lateral movement & privilege escalation (December 2017 – June 2018) Initial entry (23 August 2017) Data transferred (27 June 2018 – 4 July 2018) Compromised SCM (26 June 2018) Queried SCM Database (27 June 2018 – 4 July 2018) Data transferred (27 June 2018 – 4 July 2018) Healthcare Institution B Healthcare Institution A Internet SCM DB Servers Attacker’s movement to SCM DB Server Flow of data exfiltration Key Events of Cyber Attack
Problem Identification
Problem Identification Challenges to IHiS Should a similar cyber attack happens again, how might it: 1. Enhance its response plan 2. Mitigate or reduce the risk of such attack 3. Better protect its network and systems Despite tell-tale signs of cyber attacks that started in Aug 2017, about 1.5 million patient records were exfiltrated over a period of 8 days (27 June 2018 to 4 July 2018).
Stakeholder Map/SOC Team CEO IHIS MD MOHH CSG IHIS CISO GCIO MOH IOH CSA OPS CERT Team SIRM Security Infrastructure Service Lead Network Application Service Lead End User Management Security Incident Response Team (SIRT)
As-Is Security Breach Scenario : Ben (Profile) Ben, L1 - System Engineer, Security Management Department, IHiS ● One member of the Computer Emergency Response Team (CERT) who has attended an incident response course (“Hacker Tools, Techniques, and Incident Handling” by SANS). ● CERT (three-member) team was setup in Mar 2018. ● CERT team: first responders who are responsible for performing incident analysis to determine the scope and nature of the incident, collect forensic evidence, tracking or tracing the intruder, and providing on-site assistance to help with incident recovery ● Reports to Ernie, Senior Manager, SMD
- DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Killchain Timeline Attacker Defender User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network
As-Is Security Breach Scenario : Ben (1/3) While doing routine checks, alerted of filename of the suspected malware found on PHI 1 workstation. ● PHI 1 Workstation attempts to connect with foreign IP address and an associated URL. (foreign IP address belongs to C2 server of the attacker) ● PHI 1 Workstation sent commands to two other IP addresses in foreign country ● While the file name of the suspected malware was of a legitimate program, the program was not located in the correct file path, but L1 did not notice this irregularity. ● PHI 1 Workstation’s network traffic between all 3 IP addresses was blocked and disconnected from the SingHealth network. ● Workstation was reimaged and files was quarantined, before connecting it to network. ● Workstation was no longer attempting to connect to the foreign IP address. However, commands were still being broadcast to the other two IP addresses ● Contacted outsourced vendor for MSS (Managed Security Services) to continue monitoring suspicious IP addresses and URL. While MSS provider is responsible for receiving alerts, ultimately, assessments of the seriousness of the alerts and consequent remedial actions are squarely within the remit of IHiS’ security staff. ● Domain name of foreign URL was not blocked. 18 Jan 2018 Investigation Actions Taken
As-Is Security Breach Scenario : Ben (2/3) L1 obtained network logs (proxy logs and firewall logs), searched for both proxy logs and firewall logs from 1 to 19 Jan 2018. 19 Jan 2018 (AM) L1 sent an email to the SMD, included L2 Ernie, titled “Hits to IOCs” (‘IOCs’ refer to indicators of compromise), attaching network logs and them told he arranged for scans for hits involving the malicious IPs and URLs. 19 Jan 2018 (PM) L1 analysed process dump of suspicious file identified on the PHI 1 Workstation via online service which analyses suspicious files and facilitates detection of viruses, Trojans, worms and malware. Wrongly trusted online benign result as malware signature was not available publicly at that time, and online check unable to flag it as malicious. Not trained and do not have tool to analyse process dump; only trained in digital and memory forensics 20 Jan 2018 (PM) L1 noticed many instances of access to the foreign IP address. All the successful instances of access were from a single IP address, and involved either a particular SGH userID, or the hostname of SGH workstation A. Workstation A played a significant role in the Cyber Attack. Investigation L1 continued to monitor network traffic to update L2. No further malicious outbound traffic from the PHI 1 Workstation. 22 Jan 2018
User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Attacker Defender Killchain Timeline
As-Is Security Breach Scenario : Ben (3/3) ❖ DBA also alerted Citrix Team on failed login attempts to SCM server and informed L1. Citrix Team explained their log findings to L1: ● Attempts to access SCM database from Citrix Server, on 11 and 12 June 2018; ● Multiple usernames had been used in attempts to login to SCM database; ● Unauthorised access to Citrix Server 1 using L.A. account on multiple occasions since 17 May 2018; L.A. account should only have been used by the Citrix Team. 13 Jun 2018 5 Months later Investigation ● L1 and the Citrix Team investigates into the unauthorised accesses to find physical locations of workstations by pinging them and found they were VM. ● PHI 1 Workstation which had been re-imagined is compromised by malware again. ● L.A. account had a weak password (‘P@ssw0rd’), could easily be decrypted and was found on a batch file in clear-text. Possible attacker accessed this file and obtained the credentials Actions Taken ● L1 realised SCM was being targeted. ● Citrix team emailed L1 and copied CERT, L2 and L3 (Cluster ISO for SingHealth) but Ernie was overseas and did not read email immediately
Ernie- Senior Manager, Security Management Department, IHiS ● SingHealth’s Security Incident Response Manager (SIRM) to Lead and Coordinate IT Security Incident Response, deemed as Subject Matter Expert. ● Security Incident Response Team (SIRT) updates SIRM ● Reports to Assistant Director, Infrastructure Services & SingHealth Cluster Infrastructure Lead As-Is Security Breach Scenario : Ernie (Profile)
As-Is Security Breach Scenario : Ernie Ernie received email from L1. He “glanced” at the logs, saw multiple attempts to communicate with the foreign IP address from one or more workstations in SGH and PHI 1. 19 Jan 2018 Actions Taken No further investigation proactively taken by Ernie to: ● identify owner of the user-ID shown in the logs (i.e. the user of Workstation A); ● identify physical location of Workstation A; ● investigate into the callbacks from Workstation A, including whether it was infected with malware; or ● To block connections to the suspicious IP address from SGH or the rest of the SingHealth network. There is also no indication that there was any follow-up from any other members of the SMD. ● Ernie deemed not a reportable security incident as malware on PHI 1 Workstation contained. ● IR-SOP states that malware infections that have been detected, contained, and cleaned, without network propagation, need not be reported. ● Ernie failed to investigate whether malware had network propagation. ● Ernie did not inform Wee because suspected malware of workstation is very common. ● Ernie did not file Incident Reporting Form (“IRF”) because suspected infections not typically filed. Investigation
Feels ● Alone & stressed ● Uncertain of impact / extent. ● CERT team too lean (i.e. need 24 x 7 strong skilled SOC team, including Threat Hunter) ● Not well versed in procedures/ policies SIRM & CERT Pain Points - Empathy Map Think & Says from Ernie ● I did not report because my focus was on isolating, containing and defending. I was so busy with this that I did not escalate to management about the security incident. ● If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide to them. The moment I report the security incident, the clock will start ticking as per the timelines indicated on the IR-SOP ● Puts a lot of pressure on team - CSA, CSG, MOH, IHiS and SingHealth senior management, GCIO and CISO all want info Does (Moving forward) ● Case Management software to log all investigative updates and track progress. ● Advanced endpoint detection and response (EDR) integrated with analytics/ AI for rapid isolation of infected systems, and collection of forensic evidence from multiple systems at the same time ● Implement ATP with advanced response capabilities
Ideal SOC Team
Existing SERT Team L1 (Threat Analyst) L2 (Triage Analyst) L3 (Threat Hunting) IT SecOps 100% 100% 30% 30% Ben System Engineer, SMD, IHiS Security Ops Manager 45% Ernie SIRM Senior Manager, SMD, IHiS
Building Advanced SOC centre multiple domains People 1. What are skills needed? 2. Personality / attitude of staff 3. Constant upgrading of skills Process 1. Incidents scenarios with responses 2. Entire lifecycle of incidents 3. Processes and continual improvement Technology 1. SIEM architecture and use cases 2. SIEM integrated with Behaviour based analytics, Endpoint detection Response (EDR) 3. Web services to integrate them Governance/metrics 1. Dashboard visibility and oversight 2. Policy, measurements and enforcements 3. Informing stakeholders
NIST Framework IDENTIFY - Organisations PROTECT - Safeguard Business DETECT - Implement Systems RESPOND - Take Action RECOVER - Be Resilient
IDENTIFY NIST FRAMEWORK CORE Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Roles and responsibilities were well established by existing policies but not explicitly communicated, resulting in miscommunication and misinterpretation of Security Threats. Policy on handling Advanced Persistent Threats (APTs) were not in-place during the cyber attack. FY 16 H-Cloud Pen-Test was conducted, however vulnerabilities surfaced NOT prioritised, as several vulnerabilities identified were not handled with urgency. Asset Management Business Environment Governance Risk Assessment Risk Management Strategy
IDENTIFY CYBER RESILIENCE LIFECYCLE Defining a roadmap and action plan to build or improve Organisation’s cyber resilience plan. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● IBM X-Force RED ● IBM Q-Radar ● IBM Advanced Threat (ATP) Protection Feed ● *Solarwind Asset Management & Discovery Technique & Process: ● Cyber Resilience Preliminary Assessment ● Cyber Rapid Risk Readiness Assessment ● Software Defined Network Planning and Assessments ● Critical Data Protection Program ● Program Governance ❖ *Asset discovery tool to automate the asset discovery and management process, as opposed to a physical asset register updated manually Security assessment and review including: ● Asset inventory (includes legacy systems) ● External network ● Internal network ● Wireless network ● Internet ● Firewall ● Host & Server ● Remote access ● Risk assessment ● Pen-Test
PROTECT (1/2) NIST FRAMEWORK CORE Develop and implement appropriate safeguards to ensure delivery of critical services. Identity Management system and process allowing access permission and authorisation are poorly governed and not strictly enforced. Network was also poorly segregated, segmented, and mishandled by untrained staff, allowing attackers to exploit on these vulnerabilities in the attack. Cybersecurity personnels were poorly trained, therefore unable to appreciate and co-relate their findings with tactics, techniques, and procedures (TTP) of Cyber Attacks. Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology SIRT team were unfamiliar with the security policy documents and the need to escalate the matter to CSA
PROTECT (2/2) NIST FRAMEWORK CORE Develop and implement appropriate safeguards to ensure delivery of critical services. **Privileged users had weak understanding of their roles and responsibilities. Absence of APT playbook - Existing SIRT playbook was geared more towards conventional attacks, like ransomware and website defacement. Cybersecurity TT exercises conducted featured APTs as one of the threat scenarios (2016) Gross neglect by IHIS organisation - omission of APTs in their playbook Weak maintenance process. Confirmation of work done is based on a "trust" system. No follow-up process to ensure enforcement of changes. Protective security solutions are in-place but poorly managed, enforced and handled. Outsourced MSS service also lacking in vigilance Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology
PROTECT (1/2) CYBER RESILIENCE LIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Identity Management, Authentication and Access Control: ● To Improve identity management process to verified, revoked, and audited remote access and permission ● A central Public Key Infrastructure (“PKI”) to issue digital certificates to validate connections to IHiS’ network, and support key exchange for encryption purposes. ● Ensure *enforcement of policies to enforce multi-factor authentication amd complex password. Awareness and Training : ● SIRT Team need to be adequately trained and informed of policies. ● Privileged users, Third-party stakeholders, senior executives needs to be educated of their roles and responsibilities in prevention of cyber security incidents
PROTECT (2/2) CYBER RESILIENCE LIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Data Security: ● Network integrity needs to be improved, through network segmentation and segregation of CII assets ● Data-at-rest and in transition need to be adequately protected and encrypted to prevent data leak. ● Assets must be well managed throughout removal, transfers, and disposition. ● Integrity checking mechanism need to be inplace to check hardware, software, firmware, and information integrity. Maintenance: ● Needs to ensure the maintenance work are properly conducted, through a proof of work system as reference. Information Protection Processes and Procedures: ● Although there are several policies in-place, it needs to be better communicated to the SIRT team. ● Need to ensure vulnerability management plan is developed and implemented.
DETECT NIST FRAMEWORK CORE Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Detection system and policies are in placed, however personnels were not trained and equipped to recognise advanced persistent threats (APT). MSS Vendor were being contacted to assist with the monitoring and detection of the cybersecurity events. Security Continuous Monitoring Anomalies and Events Detection Processes Personnel and system were monitored and scanned for vulnerabilities but were unsuccessful in their detection, as malicious code were were stealthy by design and not detected by standard anti-malware solutions. Detection processes via MSS (eg. Anti-Malware/Virus, intrusion detection/prevention systems, SIEM) were in-placed, to successfully detect malicious activities but not the malware. Maintenance of detection tools and follow-up processes were lax; anti-Malware/Virus were not patched; Firewall was down and undetected.
DETECT CYBER RESILIENCE LIFECYCLE Detecting unknown threats with advanced analytics. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Managed X-Force Detection ● X-Force Command Centers ● Resiliency Orchestration with Cyber Incident Recovery – provides dashboard monitoring of Cyber Incident, Recovery Time (RTO), and Recovery Point Objectives (RPO) Technique & Process: ● Active Threat Assessment ● Whistleblowing policy AI helps to flag out Anomalies and Events: ● Detected events are analyzed to understand attack targets and methods ● Event data are collected and correlated from multiple sources and sensors ● Establish Incident alert thresholds Continuous 24 X 7 Monitoring by a strong and knowledgeable SOC team: ● Proactive monitoring, including suspicious activities or incident. Detection processes and procedures are maintained and tested to ensure awareness of anomalous events: ● Improve maintenance of detection tools via ensuring updates. ● Procedures and procedures are well communicated and briefed to staff ● Shared Management dashboard that covers not only security incidents which were responded to and reported visible all the way up to the organisation’s CEO and be reviewed periodically.
RESPOND NIST FRAMEWORK CORE Develop and implement appropriate activities to take action regarding a detected cybersecurity incident Response plan and policies was not well communicated to the SIRT team. However, necessary measures were taken to limit damage during and after the Cyber attack. Roles and order of operations is well defined in the SIRT Team. Information on the incident was reported and shared within the SIRT Team to limit the incident, and subsequently to the public and external stakeholders to promote broader cybersecurity awareness. However, failure to recognise the early warning signs of the threat delayed the communication process. The delay in detection and communication process, in-turn delayed the forensic Investigation in identifying the impact and nature of the attack APT). Communications Response Planning Analysis Mitigation Improvements Recommendation surface from Annual Pen-Test/GIA audit/table top exercises were not heeded and incorporated into responds plan.
RESPOND CYBER RESILIENCE LIFECYCLE Responding effectively to cyber outbreak. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● X-Force Threat Management Response ● Initiate Backup as a Service and Disaster Recovery as a Service for data and production recovery Technique & Process: ● Recovery notification workflow automation ● Dynamically managed infrastructure IHIS Security Incident Response Team (SIRT) preparation: ● SOC team should be trained in all kinds of malicious attacks (including ATP), aware of what are strategies and procedures to apply in response to such attack. ● SOC team need to know who are stakeholders they need to report to, ● SOC team able to have a single consolidated view to do their analysis and forensics.
RECOVER NIST FRAMEWORK CORE Develop and implement activities to maintain plans for resilience and to restore any capabilities or services that were impaired by the incident Recovery plan was eventually executed to mitigate attack, and prevent further data breach and data theft. IHIS have since taken a series of measure to strengthen it’s cybersecurity, Incorporating lesson learned from this incident. Public fallout was being minimised, as there was a public enquiry into the failings, in part due to Singaporean’s confidence in government's handling of the situation. Improvements Recovery Planning Communications
RECOVER CYBER RESILIENCE LIFECYCLE Recovering access to critical data and applications. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Resiliency Orchestration with Cyber Incident Recovery ● Backup as a Service ● Disaster Recovery as a Service Technique & Process: ● MultiNetwork WAN (MWS) – dynamically reallocate bandwidth to support recovery IHIS Security Incident Response Team (SIRT) preparation: ● SOC team and relevant IT staff are aware of recovery procedures and plan ● Recovery plans incorporate lessons learnt ● Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
Implementation Tiers - Cybersecurity professionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE ? ? ? ?
Implementation Tiers - Cybersecurity professionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE TARGET - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE IDEAL CURRENT 1.5
Conclusion
Swiss Cheese Model for Data Breach LF AF LF Organisation influence Inadequate security defences LF Precursors of unsafe data handling Unsafe act of data handling Trajectory of data breach opportunity AF: Active Failure LF: Latent Failure
Thank you for Listening For more information, please visit 1. Inquiry into Singhealth Cyber attack: Report of the coi into the cyber attack on SingHealth - 10 Jan 2019 2. MoFang / Whitefly’s Profile on ThaiCert Website: Whitefly/MoFang | APT Profile 3. Foxit’s Threat report on MoFang: MoFang threat report 4. SingHealth Malware Analysis by RedAlert: Singapore custom malware analysis 5. CSA Whistleblowing channel: https://www.csa.gov.sg/legislation/whistleblowing
Q & A
Thank you for being great classmates All the best for your future endeavours
Jia Ming Very IT savvy and willing to share and help his other team mates Jiaming is a very good team player and humble leader of projects, always going the extra mile to ensure concepts are understood across the board, extremely meticulous with slide formatting due to his background in media. He is also organised and is able to share concepts fluidly. Very meticulous Organised Knowledgeable Good aesthetics (designer)
Wee Kim Patient and always acknowledge other less IT savvy’s team mates perspective despite her IT expertise. She is very good at explaining IT concepts in a simple term Her experience in IT helped the group a lot. Invaluable expertise and steered us in the correct direction Very knowledgeable and calm, able to help less IT savvy members grasp concepts. Also due to her previous work experience in IT, she is able to also shed light in the actual work processes to help us understand the actual situation on the ground.
Very detailed oriented. Asking crucial questions to advance project development. Shirley Extremely Diligent and put in extra effort in her own time Her perseverance is admirable and contributed in spite of being ill Very conscientious in making sure images in powerpoint are of clear quality Shirley is meticulous, always ensuring that our presentations are of high quality, even re-typing/re-making diagrams to ensure crispness of resolution and also ease of reading. She’s also very considerate, always making sure we have our meals before resuming project.
We-Le He showed us an owl photo He cares for his team mates well being Provided vital IHIS related resources and document for team’s reference. Good team player who helped us search for additional resources We-Le provides level-headed feedback to the projects and is always around to share expertise from his previous industry.
Dixie Highly energetic, her enthusiasm helped us to go through this gruelling process! Translate complex technical concepts to digestible content. Always cheerful and brightens the group meetings Gave constructive ideas. Thumbs up. Fast reader / Helped to speed read the massive report

More Related Content

PPTX
Analyzing Cyber-Attacks: Case Studies of Five Organizations
byBoston Institute of Analytics
 
PPT
Cyber Security-Foundation.ppt
byErAdityaSingh1
 
PPTX
The Board and Cyber Security
byFireEye, Inc.
 
PDF
Types of Threat Actors and Attack Vectors
byLearningwithRayYT
 
PPT
Cyber Security Emerging Threats
byisc2dfw
 
PPT
Security tools
byarfan shahzad
 
PDF
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
byCybersecurity Education and Research Centre
 
PDF
The importance of Cybersecurity
byBenoit Callebaut
 
Analyzing Cyber-Attacks: Case Studies of Five Organizations
byBoston Institute of Analytics
 
Cyber Security-Foundation.ppt
byErAdityaSingh1
 
The Board and Cyber Security
byFireEye, Inc.
 
Types of Threat Actors and Attack Vectors
byLearningwithRayYT
 
Cyber Security Emerging Threats
byisc2dfw
 
Security tools
byarfan shahzad
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
byCybersecurity Education and Research Centre
 
The importance of Cybersecurity
byBenoit Callebaut
 

What's hot

PDF
Lessons learned from the SingHealth Data Breach COI Report
byBenjamin Ang
 
PPTX
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PPTX
OSINT: Open Source Intelligence gathering
byJeremiah Tillman
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PPTX
Threat Hunting - Moving from the ad hoc to the formal
byPriyanka Aash
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
Splunk Threat Hunting Workshop
bySplunk
 
PPTX
OpenSourceIntelligence-OSINT.pptx
byanonymousanonymous428352
 
PDF
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
PDF
Singapore Cybersecurity Strategy and Legislation (2018)
byBenjamin Ang
 
PPTX
Phishing awareness
byPhishingBox
 
PDF
Red Team Framework
by👀 Joe Gray
 
PPTX
Cybersecurity Awareness Training
byDave Monahan
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
PPTX
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
PPTX
McAfee SIEM solution
byhashnees
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PDF
osint + python: extracting information from tor network and darkweb
byJose Manuel Ortega Candel
 
Lessons learned from the SingHealth Data Breach COI Report
byBenjamin Ang
 
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
Next-Gen security operation center
byMuhammad Sahputra
 
OSINT: Open Source Intelligence gathering
byJeremiah Tillman
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Threat Hunting - Moving from the ad hoc to the formal
byPriyanka Aash
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Splunk Threat Hunting Workshop
bySplunk
 
OpenSourceIntelligence-OSINT.pptx
byanonymousanonymous428352
 
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
Singapore Cybersecurity Strategy and Legislation (2018)
byBenjamin Ang
 
Phishing awareness
byPhishingBox
 
Red Team Framework
by👀 Joe Gray
 
Cybersecurity Awareness Training
byDave Monahan
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
Chapter 11: Information Security Incident Management
byNada G.Youssef
 
McAfee SIEM solution
byhashnees
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
osint + python: extracting information from tor network and darkweb
byJose Manuel Ortega Candel
 

Similar to SingHealth Cyber Attack (project)

PDF
Corporate threat vector and landscape
byyohansurya2
 
PPTX
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
byNUS-ISS
 
PPTX
Cyberattacks on Healthcare Systemss.pptx
byJoeOrlando16
 
PDF
security_threats.pdf and control mechanisms
byronoelias98
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
byDavies Chacko
 
PPT
Citi NCR-Gurgaon 2010 -Presentation2.ppt
byluckysingh25898
 
PDF
List of data breaches and cyber attacks in january 2022
byndcmanagement
 
PDF
UN Presentation - 10-17-2018 - Maccaglia
byStefano Maccaglia
 
PDF
Threatsploit Adversary Report January 2019
byBriskinfosec Technology and Consulting Pvt Ltd
 
PDF
Using international standards to improve Asia-Pacific cyber security
byIT Governance Ltd
 
PPTX
CTEK Cyber Briefing - April 2022.pptx
bySophia Price
 
PPTX
CynergisTek Cyber Briefing April 2022
bySophiaPalmira1
 
PDF
HIPAA Preso
byJoseph Schorr
 
DOCX
You are the information technology manager of a major hospital that ha.docx
byerinskingsman95711
 
PDF
AOA_Report_TrapX_AnatomyOfAttack-Healthcare
byTony Zirnoon, CISSP
 
DOCX
(Executive Summary)MedStar Health Inc, a leader in the healthc
bySilvaGraf83
 
PDF
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
PDF
Protected Harbor Data Breach Trend Report
byProtected Harbor
 
PDF
DHHS ASPR Cybersecurity Threat Information Resources
byDavid Sweigert
 
PPTX
Cyber Threats
byProf John Walker FRSA Purveyor Dark Intelligence
 
Corporate threat vector and landscape
byyohansurya2
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
byNUS-ISS
 
Cyberattacks on Healthcare Systemss.pptx
byJoeOrlando16
 
security_threats.pdf and control mechanisms
byronoelias98
 
CYBER-CRIMES AND SECURITY A guide to understanding
byDavies Chacko
 
Citi NCR-Gurgaon 2010 -Presentation2.ppt
byluckysingh25898
 
List of data breaches and cyber attacks in january 2022
byndcmanagement
 
UN Presentation - 10-17-2018 - Maccaglia
byStefano Maccaglia
 
Threatsploit Adversary Report January 2019
byBriskinfosec Technology and Consulting Pvt Ltd
 
Using international standards to improve Asia-Pacific cyber security
byIT Governance Ltd
 
CTEK Cyber Briefing - April 2022.pptx
bySophia Price
 
CynergisTek Cyber Briefing April 2022
bySophiaPalmira1
 
HIPAA Preso
byJoseph Schorr
 
You are the information technology manager of a major hospital that ha.docx
byerinskingsman95711
 
AOA_Report_TrapX_AnatomyOfAttack-Healthcare
byTony Zirnoon, CISSP
 
(Executive Summary)MedStar Health Inc, a leader in the healthc
bySilvaGraf83
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
byMatthew J McMahon
 
Protected Harbor Data Breach Trend Report
byProtected Harbor
 
DHHS ASPR Cybersecurity Threat Information Resources
byDavid Sweigert
 
Cyber Threats
byProf John Walker FRSA Purveyor Dark Intelligence
 

Recently uploaded

PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
January Patch Tuesday
byIvanti
 
PPTX
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
January Patch Tuesday
byIvanti
 
Apache Kafka 101 for Techies in IT dep.pptx
byamulyareddyk97
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 

SingHealth Cyber Attack (project)

  • 1.
    SingHealth Cyber Attack Group 1: JiamingWe-Le Dixie Wee Kim Shirley
  • 2.
    Contents Overview - Organisation profileand Background - Target and Victims - Killchain timeline, Tools and Key Events Problem Identification - Problem statement - Stakeholder Map/SOC Team - As-Is Security Breach scenario with Preliminary Analysis - Pain Points using Empathy Map - Comparison of Ideal SOC vs as-is team NIST Cyber Security Framework - Framework overview - Framework guidelines - Implementation tiers - SOLUTIONS: Cyber resilience lifecycle Conclusion - Swiss Cheese Model for Data Breach - IHIS Action Plan
  • 3.
  • 4.
    Organisation Profile Singapore Health Services(commonly abbreviated as SingHealth) is Singapore's largest group of healthcare institutions. The group was formed in 2000 and consists of four public hospitals, three community hospitals, five national specialty centres and a network of eight polyclinics. The Singapore General Hospital is the largest hospital in the group and serves as the flagship hospital for the cluster.
  • 5.
    Between 23 August2017 and 20 July 2018, a cyber attack (the “Cyber Attack”) of unprecedented scale and sophistication was carried out on the patient database of Singapore Health Services Private Limited (“SingHealth”). The database was illegally accessed and the personal particulars of almost 1.5 million patients, including their names, NRIC numbers, addresses, genders, races, and dates of birth, were exfiltrated over the period of 27 June 2018 to 4 July 2018. Around 160,000 of these 1.5 million patients also had their outpatient dispensed medication records exfiltrated. The Prime Minister’s personal and outpatient medication data was specifically targeted and repeatedly accessed. Hackers did not amend or delete the records. Background
  • 6.
    Targets & Victims PMLee Hsien Loong Other ministers Data stolen included: 1. Names 2. NRIC 3. Addresses 4. Gender 5. Race information 6. Date of birth About 160,000 of these patients also had their outpatient prescriptions stolen. The attackers specifically and repeatedly targeted PM Lee’s personal particulars and information on medication that has been dispensed to him The authorities say a few ministers were also targeted but declined to identify them 1.5 million patients
  • 7.
    Killchain Timeline - DBA,Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 Defender 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network Attacker
  • 8.
    Attacker’s Artefacts Malware Remote Access Trojan(RAT) Publicly Available Hacking Tool Usage: Malware was used by the attacker to obtain passwords for privilege escalation and lateral movement. Artefacts: log file from a known malware (Trojan.Vcrodat) containing password credentials of Workstation A user was found. Usage: The Hacking tools is used to regain access if initial implant was removed. It allows remote interaction with mail exchange servers, perform simple brute force attacks on email accounts. Artefacts: Hacking tools (Mimikatz & Termite) was installed on Workstation A by exploiting vulnerability in Microsoft Outlook. The tool was used to download files, masqueraded as .jpeg files containing malicious Powershell scripts. Usage: RAT provided the attacker with the capability to access and control the workstation, to execute shell scripts remotely, upload and download files. Artefacts: RAT (Trojan.Nibatad) was created on Workstation A. Shortly after the installation of the hacking tool. RAT is stealthy by design, or of unique variants that avoided detection by standard anti-malware solutions.
  • 9.
    Phishing: Infect with dropperin form of malicious .exe or .dll file that is disguised as a document or image Once opened Trojan.Vcrodat is loaded in the PC (via search order hijacking) Upon execution, Vcrodat loads an encrypted payload onto the victim’s PC. This payload contacts a C&C and sends system information about the infected PC to the C&C server and downloads additional tools. DELIVERY Once the initial PC is infected with Vcrodat, Whitefly begins mapping the network and further infecting PCs using publicly available tools ie. Mimikatz and another open source tool to exploits a known Windows privilege escalation vulnerability on unpatched PCs. Whitefly utilises Open-source hacking tool called Termite ie Hacktool.Rootkit to allow it to perform more complex actions such as control multiple compromised machines at a time. EXPLOITATION INSTALLATION Mimikatz is repeated deployed to obtain credentials on more machines on the network till they gain access to the desired data. ACTION ON OBJECTIVE RECONNAISSANCE WEAPONISATION Target Attack Killchain Analysis WHITEFLY MO: Remain dormant within targeted organization for long periods of time in order to steal large volumes of data. Whitefly configures multiple C&C domains for each target COMMAND & CONTROL
  • 10.
    WHITEFLY | MÓFǍNG| 模仿 Mofang is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries. Operation Whitefly ● Trojan.Vcrodat ● Trojan.Nibatad Malware Hacking Tools TTPs ● Hacktool.Rootkit ● Hacktool.Mimikatz ● Spear-phishing ● Multiple C&C domains Reference Links : Thaicert | Reuters | Redalert | Foxit | Symatec |
  • 11.
    Medical Records Workstation A WorkstationB CITRIX Server 1 @SGH CITRIX Server 2 @SGH CITRIX Server 3 @HDC 4 5a 5b 1 2 6 3 CITRIX Servers Data exfiltration (27 June 2018 – 4 July 2018) Lateral movement & privilege escalation (December 2017 – June 2018) Initial entry (23 August 2017) Data transferred (27 June 2018 – 4 July 2018) Compromised SCM (26 June 2018) Queried SCM Database (27 June 2018 – 4 July 2018) Data transferred (27 June 2018 – 4 July 2018) Healthcare Institution B Healthcare Institution A Internet SCM DB Servers Attacker’s movement to SCM DB Server Flow of data exfiltration Key Events of Cyber Attack
  • 12.
  • 13.
    Problem Identification Challenges toIHiS Should a similar cyber attack happens again, how might it: 1. Enhance its response plan 2. Mitigate or reduce the risk of such attack 3. Better protect its network and systems Despite tell-tale signs of cyber attacks that started in Aug 2017, about 1.5 million patient records were exfiltrated over a period of 8 days (27 June 2018 to 4 July 2018).
  • 14.
    Stakeholder Map/SOC Team CEOIHIS MD MOHH CSG IHIS CISO GCIO MOH IOH CSA OPS CERT Team SIRM Security Infrastructure Service Lead Network Application Service Lead End User Management Security Incident Response Team (SIRT)
  • 15.
    As-Is Security BreachScenario : Ben (Profile) Ben, L1 - System Engineer, Security Management Department, IHiS ● One member of the Computer Emergency Response Team (CERT) who has attended an incident response course (“Hacker Tools, Techniques, and Incident Handling” by SANS). ● CERT (three-member) team was setup in Mar 2018. ● CERT team: first responders who are responsible for performing incident analysis to determine the scope and nature of the incident, collect forensic evidence, tracking or tracing the intruder, and providing on-site assistance to help with incident recovery ● Reports to Ernie, Senior Manager, SMD
  • 16.
    - DBA, Citrixand SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Killchain Timeline Attacker Defender User fell prey to phishing. Attacker gained initial access to SingHealth’s IT network
  • 17.
    As-Is Security BreachScenario : Ben (1/3) While doing routine checks, alerted of filename of the suspected malware found on PHI 1 workstation. ● PHI 1 Workstation attempts to connect with foreign IP address and an associated URL. (foreign IP address belongs to C2 server of the attacker) ● PHI 1 Workstation sent commands to two other IP addresses in foreign country ● While the file name of the suspected malware was of a legitimate program, the program was not located in the correct file path, but L1 did not notice this irregularity. ● PHI 1 Workstation’s network traffic between all 3 IP addresses was blocked and disconnected from the SingHealth network. ● Workstation was reimaged and files was quarantined, before connecting it to network. ● Workstation was no longer attempting to connect to the foreign IP address. However, commands were still being broadcast to the other two IP addresses ● Contacted outsourced vendor for MSS (Managed Security Services) to continue monitoring suspicious IP addresses and URL. While MSS provider is responsible for receiving alerts, ultimately, assessments of the seriousness of the alerts and consequent remedial actions are squarely within the remit of IHiS’ security staff. ● Domain name of foreign URL was not blocked. 18 Jan 2018 Investigation Actions Taken
  • 18.
    As-Is Security BreachScenario : Ben (2/3) L1 obtained network logs (proxy logs and firewall logs), searched for both proxy logs and firewall logs from 1 to 19 Jan 2018. 19 Jan 2018 (AM) L1 sent an email to the SMD, included L2 Ernie, titled “Hits to IOCs” (‘IOCs’ refer to indicators of compromise), attaching network logs and them told he arranged for scans for hits involving the malicious IPs and URLs. 19 Jan 2018 (PM) L1 analysed process dump of suspicious file identified on the PHI 1 Workstation via online service which analyses suspicious files and facilitates detection of viruses, Trojans, worms and malware. Wrongly trusted online benign result as malware signature was not available publicly at that time, and online check unable to flag it as malicious. Not trained and do not have tool to analyse process dump; only trained in digital and memory forensics 20 Jan 2018 (PM) L1 noticed many instances of access to the foreign IP address. All the successful instances of access were from a single IP address, and involved either a particular SGH userID, or the hostname of SGH workstation A. Workstation A played a significant role in the Cyber Attack. Investigation L1 continued to monitor network traffic to update L2. No further malicious outbound traffic from the PHI 1 Workstation. 22 Jan 2018
  • 19.
    User fell preyto phishing. Attacker gained initial access to SingHealth’s IT network - DBA, Citrix and SCM teams detected failed logins to SCM - CERT started forensic - DBA noticed unusual queries on SCM and terminated the queries - IHiS started investigation IHiS detected further suspicious activity in SingHealth network - IHiS reported attack to CSA who worked with them Attacker started bulk query on SCM database Detect failed call-backs from workstations to suspicious foreign IP 20 July 2018 19 July 2018 10 July 2018 4 July 2018 27 June 2018 11-13 Jun 2018 Jan 2018 PenTest 23 Aug 2017 Mar 2017 27 June – 4 July Attacker exfiltrated data 4 months 27 days 10 months 5 days 10 months 12 days 5 months Instances of malicious activity took place - Internet Surfing Separation implemented - Public announcement Attacker Defender Killchain Timeline
  • 20.
    As-Is Security BreachScenario : Ben (3/3) ❖ DBA also alerted Citrix Team on failed login attempts to SCM server and informed L1. Citrix Team explained their log findings to L1: ● Attempts to access SCM database from Citrix Server, on 11 and 12 June 2018; ● Multiple usernames had been used in attempts to login to SCM database; ● Unauthorised access to Citrix Server 1 using L.A. account on multiple occasions since 17 May 2018; L.A. account should only have been used by the Citrix Team. 13 Jun 2018 5 Months later Investigation ● L1 and the Citrix Team investigates into the unauthorised accesses to find physical locations of workstations by pinging them and found they were VM. ● PHI 1 Workstation which had been re-imagined is compromised by malware again. ● L.A. account had a weak password (‘P@ssw0rd’), could easily be decrypted and was found on a batch file in clear-text. Possible attacker accessed this file and obtained the credentials Actions Taken ● L1 realised SCM was being targeted. ● Citrix team emailed L1 and copied CERT, L2 and L3 (Cluster ISO for SingHealth) but Ernie was overseas and did not read email immediately
  • 21.
    Ernie- Senior Manager, SecurityManagement Department, IHiS ● SingHealth’s Security Incident Response Manager (SIRM) to Lead and Coordinate IT Security Incident Response, deemed as Subject Matter Expert. ● Security Incident Response Team (SIRT) updates SIRM ● Reports to Assistant Director, Infrastructure Services & SingHealth Cluster Infrastructure Lead As-Is Security Breach Scenario : Ernie (Profile)
  • 22.
    As-Is Security BreachScenario : Ernie Ernie received email from L1. He “glanced” at the logs, saw multiple attempts to communicate with the foreign IP address from one or more workstations in SGH and PHI 1. 19 Jan 2018 Actions Taken No further investigation proactively taken by Ernie to: ● identify owner of the user-ID shown in the logs (i.e. the user of Workstation A); ● identify physical location of Workstation A; ● investigate into the callbacks from Workstation A, including whether it was infected with malware; or ● To block connections to the suspicious IP address from SGH or the rest of the SingHealth network. There is also no indication that there was any follow-up from any other members of the SMD. ● Ernie deemed not a reportable security incident as malware on PHI 1 Workstation contained. ● IR-SOP states that malware infections that have been detected, contained, and cleaned, without network propagation, need not be reported. ● Ernie failed to investigate whether malware had network propagation. ● Ernie did not inform Wee because suspected malware of workstation is very common. ● Ernie did not file Incident Reporting Form (“IRF”) because suspected infections not typically filed. Investigation
  • 23.
    Feels ● Alone &stressed ● Uncertain of impact / extent. ● CERT team too lean (i.e. need 24 x 7 strong skilled SOC team, including Threat Hunter) ● Not well versed in procedures/ policies SIRM & CERT Pain Points - Empathy Map Think & Says from Ernie ● I did not report because my focus was on isolating, containing and defending. I was so busy with this that I did not escalate to management about the security incident. ● If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide to them. The moment I report the security incident, the clock will start ticking as per the timelines indicated on the IR-SOP ● Puts a lot of pressure on team - CSA, CSG, MOH, IHiS and SingHealth senior management, GCIO and CISO all want info Does (Moving forward) ● Case Management software to log all investigative updates and track progress. ● Advanced endpoint detection and response (EDR) integrated with analytics/ AI for rapid isolation of infected systems, and collection of forensic evidence from multiple systems at the same time ● Implement ATP with advanced response capabilities
  • 24.
  • 25.
    Existing SERT Team L1(Threat Analyst) L2 (Triage Analyst) L3 (Threat Hunting) IT SecOps 100% 100% 30% 30% Ben System Engineer, SMD, IHiS Security Ops Manager 45% Ernie SIRM Senior Manager, SMD, IHiS
  • 26.
    Building Advanced SOCcentre multiple domains People 1. What are skills needed? 2. Personality / attitude of staff 3. Constant upgrading of skills Process 1. Incidents scenarios with responses 2. Entire lifecycle of incidents 3. Processes and continual improvement Technology 1. SIEM architecture and use cases 2. SIEM integrated with Behaviour based analytics, Endpoint detection Response (EDR) 3. Web services to integrate them Governance/metrics 1. Dashboard visibility and oversight 2. Policy, measurements and enforcements 3. Informing stakeholders
  • 27.
    NIST Framework IDENTIFY -Organisations PROTECT - Safeguard Business DETECT - Implement Systems RESPOND - Take Action RECOVER - Be Resilient
  • 28.
    IDENTIFY NIST FRAMEWORK CORE Developan organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Roles and responsibilities were well established by existing policies but not explicitly communicated, resulting in miscommunication and misinterpretation of Security Threats. Policy on handling Advanced Persistent Threats (APTs) were not in-place during the cyber attack. FY 16 H-Cloud Pen-Test was conducted, however vulnerabilities surfaced NOT prioritised, as several vulnerabilities identified were not handled with urgency. Asset Management Business Environment Governance Risk Assessment Risk Management Strategy
  • 29.
    IDENTIFY CYBER RESILIENCE LIFECYCLE Defininga roadmap and action plan to build or improve Organisation’s cyber resilience plan. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● IBM X-Force RED ● IBM Q-Radar ● IBM Advanced Threat (ATP) Protection Feed ● *Solarwind Asset Management & Discovery Technique & Process: ● Cyber Resilience Preliminary Assessment ● Cyber Rapid Risk Readiness Assessment ● Software Defined Network Planning and Assessments ● Critical Data Protection Program ● Program Governance ❖ *Asset discovery tool to automate the asset discovery and management process, as opposed to a physical asset register updated manually Security assessment and review including: ● Asset inventory (includes legacy systems) ● External network ● Internal network ● Wireless network ● Internet ● Firewall ● Host & Server ● Remote access ● Risk assessment ● Pen-Test
  • 30.
    PROTECT (1/2) NIST FRAMEWORKCORE Develop and implement appropriate safeguards to ensure delivery of critical services. Identity Management system and process allowing access permission and authorisation are poorly governed and not strictly enforced. Network was also poorly segregated, segmented, and mishandled by untrained staff, allowing attackers to exploit on these vulnerabilities in the attack. Cybersecurity personnels were poorly trained, therefore unable to appreciate and co-relate their findings with tactics, techniques, and procedures (TTP) of Cyber Attacks. Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology SIRT team were unfamiliar with the security policy documents and the need to escalate the matter to CSA
  • 31.
    PROTECT (2/2) NIST FRAMEWORKCORE Develop and implement appropriate safeguards to ensure delivery of critical services. **Privileged users had weak understanding of their roles and responsibilities. Absence of APT playbook - Existing SIRT playbook was geared more towards conventional attacks, like ransomware and website defacement. Cybersecurity TT exercises conducted featured APTs as one of the threat scenarios (2016) Gross neglect by IHIS organisation - omission of APTs in their playbook Weak maintenance process. Confirmation of work done is based on a "trust" system. No follow-up process to ensure enforcement of changes. Protective security solutions are in-place but poorly managed, enforced and handled. Outsourced MSS service also lacking in vigilance Awareness and Training Identity Management, Authentication and Access Control Information Protection Processes and Procedures Data Security Maintenance Protective Technology
  • 32.
    PROTECT (1/2) CYBER RESILIENCELIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Identity Management, Authentication and Access Control: ● To Improve identity management process to verified, revoked, and audited remote access and permission ● A central Public Key Infrastructure (“PKI”) to issue digital certificates to validate connections to IHiS’ network, and support key exchange for encryption purposes. ● Ensure *enforcement of policies to enforce multi-factor authentication amd complex password. Awareness and Training : ● SIRT Team need to be adequately trained and informed of policies. ● Privileged users, Third-party stakeholders, senior executives needs to be educated of their roles and responsibilities in prevention of cyber security incidents
  • 33.
    PROTECT (2/2) CYBER RESILIENCELIFECYCLE Protecting the Organisation against attacks by discovering vulnerabilities before they are exploited. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Backup as a Service ● Disaster Recovery as a Service ● Advanced Endpoint and Network Protection Technique & Process: ● Security Infrastructure Management ● Managed Guardium ● Managed Web Defense ● Insider Threat Detection Data Security: ● Network integrity needs to be improved, through network segmentation and segregation of CII assets ● Data-at-rest and in transition need to be adequately protected and encrypted to prevent data leak. ● Assets must be well managed throughout removal, transfers, and disposition. ● Integrity checking mechanism need to be inplace to check hardware, software, firmware, and information integrity. Maintenance: ● Needs to ensure the maintenance work are properly conducted, through a proof of work system as reference. Information Protection Processes and Procedures: ● Although there are several policies in-place, it needs to be better communicated to the SIRT team. ● Need to ensure vulnerability management plan is developed and implemented.
  • 34.
    DETECT NIST FRAMEWORK CORE Developand implement appropriate activities to identify the occurrence of a cybersecurity event. Detection system and policies are in placed, however personnels were not trained and equipped to recognise advanced persistent threats (APT). MSS Vendor were being contacted to assist with the monitoring and detection of the cybersecurity events. Security Continuous Monitoring Anomalies and Events Detection Processes Personnel and system were monitored and scanned for vulnerabilities but were unsuccessful in their detection, as malicious code were were stealthy by design and not detected by standard anti-malware solutions. Detection processes via MSS (eg. Anti-Malware/Virus, intrusion detection/prevention systems, SIEM) were in-placed, to successfully detect malicious activities but not the malware. Maintenance of detection tools and follow-up processes were lax; anti-Malware/Virus were not patched; Firewall was down and undetected.
  • 35.
    DETECT CYBER RESILIENCE LIFECYCLE Detectingunknown threats with advanced analytics. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Managed X-Force Detection ● X-Force Command Centers ● Resiliency Orchestration with Cyber Incident Recovery – provides dashboard monitoring of Cyber Incident, Recovery Time (RTO), and Recovery Point Objectives (RPO) Technique & Process: ● Active Threat Assessment ● Whistleblowing policy AI helps to flag out Anomalies and Events: ● Detected events are analyzed to understand attack targets and methods ● Event data are collected and correlated from multiple sources and sensors ● Establish Incident alert thresholds Continuous 24 X 7 Monitoring by a strong and knowledgeable SOC team: ● Proactive monitoring, including suspicious activities or incident. Detection processes and procedures are maintained and tested to ensure awareness of anomalous events: ● Improve maintenance of detection tools via ensuring updates. ● Procedures and procedures are well communicated and briefed to staff ● Shared Management dashboard that covers not only security incidents which were responded to and reported visible all the way up to the organisation’s CEO and be reviewed periodically.
  • 36.
    RESPOND NIST FRAMEWORK CORE Developand implement appropriate activities to take action regarding a detected cybersecurity incident Response plan and policies was not well communicated to the SIRT team. However, necessary measures were taken to limit damage during and after the Cyber attack. Roles and order of operations is well defined in the SIRT Team. Information on the incident was reported and shared within the SIRT Team to limit the incident, and subsequently to the public and external stakeholders to promote broader cybersecurity awareness. However, failure to recognise the early warning signs of the threat delayed the communication process. The delay in detection and communication process, in-turn delayed the forensic Investigation in identifying the impact and nature of the attack APT). Communications Response Planning Analysis Mitigation Improvements Recommendation surface from Annual Pen-Test/GIA audit/table top exercises were not heeded and incorporated into responds plan.
  • 37.
    RESPOND CYBER RESILIENCE LIFECYCLE Respondingeffectively to cyber outbreak. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● X-Force Threat Management Response ● Initiate Backup as a Service and Disaster Recovery as a Service for data and production recovery Technique & Process: ● Recovery notification workflow automation ● Dynamically managed infrastructure IHIS Security Incident Response Team (SIRT) preparation: ● SOC team should be trained in all kinds of malicious attacks (including ATP), aware of what are strategies and procedures to apply in response to such attack. ● SOC team need to know who are stakeholders they need to report to, ● SOC team able to have a single consolidated view to do their analysis and forensics.
  • 38.
    RECOVER NIST FRAMEWORK CORE Developand implement activities to maintain plans for resilience and to restore any capabilities or services that were impaired by the incident Recovery plan was eventually executed to mitigate attack, and prevent further data breach and data theft. IHIS have since taken a series of measure to strengthen it’s cybersecurity, Incorporating lesson learned from this incident. Public fallout was being minimised, as there was a public enquiry into the failings, in part due to Singaporean’s confidence in government's handling of the situation. Improvements Recovery Planning Communications
  • 39.
    RECOVER CYBER RESILIENCE LIFECYCLE Recoveringaccess to critical data and applications. Propose Tools, Technology, Technique & Process Task & Activities Tools & Technologies: ● Resiliency Orchestration with Cyber Incident Recovery ● Backup as a Service ● Disaster Recovery as a Service Technique & Process: ● MultiNetwork WAN (MWS) – dynamically reallocate bandwidth to support recovery IHIS Security Incident Response Team (SIRT) preparation: ● SOC team and relevant IT staff are aware of recovery procedures and plan ● Recovery plans incorporate lessons learnt ● Recovery activities are communicated to internal and external stakeholders as well as executive and management teams
  • 40.
    Implementation Tiers - Cybersecurityprofessionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE ? ? ? ?
  • 41.
    Implementation Tiers - Cybersecurityprofessionals (staff) and the general employee population have had little to no cybersecurity-related training - The staff has a limited or nonexistent training pipeline. - Security awareness is limited. - Employees have little or no awareness of company security resources and escalation paths. TIER 1 PARTIAL - The staff and employees have received cybersecurity-related training - The staff has a training pipeline - There is an awareness of cybersecurity risk at the organisation level. - Employees have a general awareness of security and company security resources and escalation paths. TIER 2 RISK INFORMED - The staff possesses the knowledge and skills to perform their appointed roles and responsibilities - Employees should receive regular cybersecurity-related training and briefings - The staff has a robust training pipeline, including internal and external security conferences or training opportunities. - Organisation and business units have a security champion or dedicated security staff. TIER 3 REPEATABLE TARGET - The staff’s knowledge and skills are regularly reviewed for currency and applicability and new skills, and knowledge needs are identified and addressed. - Employees receive regular cybersecurity-related training and briefings on relevant and emerging security topics. - The staff has a robust training pipeline and routinely attend internal and external security conferences or training opportunities. TIER 4 ADAPTIVE IDEAL CURRENT 1.5
  • 42.
  • 45.
    Swiss Cheese Modelfor Data Breach LF AF LF Organisation influence Inadequate security defences LF Precursors of unsafe data handling Unsafe act of data handling Trajectory of data breach opportunity AF: Active Failure LF: Latent Failure
  • 46.
    Thank you forListening For more information, please visit 1. Inquiry into Singhealth Cyber attack: Report of the coi into the cyber attack on SingHealth - 10 Jan 2019 2. MoFang / Whitefly’s Profile on ThaiCert Website: Whitefly/MoFang | APT Profile 3. Foxit’s Threat report on MoFang: MoFang threat report 4. SingHealth Malware Analysis by RedAlert: Singapore custom malware analysis 5. CSA Whistleblowing channel: https://www.csa.gov.sg/legislation/whistleblowing
  • 47.
  • 48.
    Thank you forbeing great classmates All the best for your future endeavours
  • 49.
    Jia Ming Very ITsavvy and willing to share and help his other team mates Jiaming is a very good team player and humble leader of projects, always going the extra mile to ensure concepts are understood across the board, extremely meticulous with slide formatting due to his background in media. He is also organised and is able to share concepts fluidly. Very meticulous Organised Knowledgeable Good aesthetics (designer)
  • 50.
    Wee Kim Patient andalways acknowledge other less IT savvy’s team mates perspective despite her IT expertise. She is very good at explaining IT concepts in a simple term Her experience in IT helped the group a lot. Invaluable expertise and steered us in the correct direction Very knowledgeable and calm, able to help less IT savvy members grasp concepts. Also due to her previous work experience in IT, she is able to also shed light in the actual work processes to help us understand the actual situation on the ground.
  • 51.
    Very detailed oriented. Askingcrucial questions to advance project development. Shirley Extremely Diligent and put in extra effort in her own time Her perseverance is admirable and contributed in spite of being ill Very conscientious in making sure images in powerpoint are of clear quality Shirley is meticulous, always ensuring that our presentations are of high quality, even re-typing/re-making diagrams to ensure crispness of resolution and also ease of reading. She’s also very considerate, always making sure we have our meals before resuming project.
  • 52.
    We-Le He showed usan owl photo He cares for his team mates well being Provided vital IHIS related resources and document for team’s reference. Good team player who helped us search for additional resources We-Le provides level-headed feedback to the projects and is always around to share expertise from his previous industry.
  • 53.
    Dixie Highly energetic, her enthusiasmhelped us to go through this gruelling process! Translate complex technical concepts to digestible content. Always cheerful and brightens the group meetings Gave constructive ideas. Thumbs up. Fast reader / Helped to speed read the massive report