Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 322 of 425 2; blocking communications with a foreign IP address for PHI s network. While at some point these IP addresses must be blocked, doing so in hurry can hamper the investigation as it indicates to the attacker that its presence has been discovered, and attackers usually respond by moving their communications over to another IP address or URL that has not yet been flagged as malicious. Abetter practice would have been to first study the network traffic for signs of any active data exfiltration. If data is found to have been exfiltrated, then the IP address should be blocked. Otherwise, it should be actively monitored to learn more about the attacker’s behaviour and presence in the network. d) CERT and other responders resorted to resetting several passwords during the investigation (e.g. the LA. account, the DA. account, the AA. account. While at some point these passwords must be reset, doing so in hurry can hamper the investigation as it indicates to the attacker that its presence has been discovered, and attackers usually respond by using other accounts that have not yet been flagged as compromised. Abetter practice would have been to put the compromised passwords on active monitoring and use them to learn more about the attacker’s behaviour and presence within the network. 938. In Vivek’s expert opinion, a CERT team (even one formed only six months prior) should not be susceptible to the above missteps. Hence, the response plan (for example, the IR-SOP on the security incident response methodology) should be improved by setting out rules cautioning against the missteps identified above and other similar examples. This is also the expert opinion of Vivek. In addition, the response plan must also be made available to all IT staff, as they are potentially first responders (as was the casein the Cyber Attack. It cannot be confined just to the IT security personnel. All staff should be aware of what they should, and should not, do in a security situation, to ensure that the appropriate balance is struck between stopping the attack and gathering evidence.
