COI Report – Part VII
Page 254 of 425
collection of forensic artefacts, speeding things up from taking several days to weeks, to taking just one day.
732. This centralised EDR can be monitored by an Advanced Security Operations Centre (“ASOC”), and integrated with the rest of the detection and incident response processes. Evidence can be collected remotely, consolidated with other inputs, and analysed for indicators of attack. MOH envisages that IHiS’ planned ASOC provider will assist IHiS with forensic and threat hunting capabilities, development of security tools, and security threat analytics.
37.2.2
Network forensics
733. Almost all modern network equipment such as routers, switches, firewalls
etc. support the ability to capture data regarding network traffic that flows in and out of such devices. While it appears that IHiS had tools to capture network traffic information, they did not have the means to analyse it effectively for forensic purposes.
734. IHiS has access to NetFlow data, which contains information about traffic that traverses the network. NetFlow can provide complete network visibility by providing the ability to collect and store network traffic metadata.
56
Network administrators typically analyse NetFlow data to determine the source and destination of traffic, the type of service involved, and the causes of congestion. In essence, it is information largely used for troubleshooting purposes. However,
NetFlow is also valuable for network forensics as shown by its use after the
Cyber Attack to determine whether the stolen patient data had been exfiltrated.
735. However, it appears that the ability to obtain forensically significant information from the massive volume of traffic data was hampered by the lack Metadata includes information such as username, source and destination IP, URL, start and end time and much more. See Plixer: NetFlow Version 9 .
|
