Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 263 of 425 759. As regards the defences that IHiS had in place, firewalls can block malicious outgoing communications with C servers, but only if the Cs are known to be malicious – firewall rules can then be created to block outgoing communications with such servers. Firewalls, however, will be of little use in blocking outgoing communications with servers that are not known to be malicious. 760. As for intrusion detection systems such as IDS and IPS, these typically focus on the protection of local resources by identifying signs of malicious activity to help prevent a network intrusion and limit its effects. They are designed to prevent incoming attacks by checking all incoming traffic for security threats. IDS and IPS typically would not monitor outgoing traffic. 761. However, an IDS/IPS can be configured to monitor outgoing traffic to monitor and help mitigate compromised hosts on a network from reaching the internet, and this can prevent C functions. It is unclear if the IDP/IPS deployed in the SingHealth were so configured. What is clear is that monitoring of the SingHealth network did not flag the callbacks from compromised endpoints to multiple C servers. 762. It is recommended that IHiS review the effectiveness of current security technologies to detect and block malicious outgoing traffic. If no effective solutions are in place to detect callbacks to malicious Cs, such capability must be attained. Vivek has informed that solutions with such capability to provide real-time intelligence on callbacks to Cs are commercially available. These solutions can recognise the signature of malware calling back to a C, since callback traffic has several fingerprints which can be tracked and caught. 763. Such solutions are known as ATP for networks, and typically use anomaly-based detection, which often relies on machine learning. When outgoing traffic deviates from parameters of traffic known to be benign, i.e. “good” traffic, the system takes this as evidence of malicious traffic and responds accordingly.
