Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part IV Page 122 of 425 these findings with the TTPs of an advanced cyber attacker. That said, this was not necessarily their fault. There is no evidence that they had been given the requisite training to do so, despite the fact that IHiS’ Senior Management had appreciated the risk of APTs from as early as August 2016 (as explained in section 18.3 (pg 104) above. 352. Likewise, Katherine and Lum were not familiar with relevant policy documents such as the IR-SOP and the SIRF. They were therefore not in a position to understand that the suspicious instances of attempted access to the SCM database, which is a CII, in fact constituted a potential security incident, requiring an urgent response and reporting all the way to CSA. Furthermore, IHiS did not have an incident reporting framework for line staff, and there was no clarity on how incidents were to be reported to management. 353. This lack of appreciation by the line-staff of the security implications of their findings and the need to report security incidents all the way to CSA would prove to be a consistent feature of IHiS’ incident response up until 4 July 2018. 354. This was a weakness which was rightly observed by Vivek – in his expert opinion, representatives from all IT teams (e.g.database teams, network teams etc) should be involved in IT security training, including tabletop exercises. This recognises the fact that aside from formal incident responders, the persons who would first experience the signs, and who would need to be equipped with the ability to detect signs of a cyber attack, are the operational IT staff in an environment such as IHiS. 355. That said, there were a few positive aspects from the Citrix Team’s response. These were observed by Vivek: (a) the availability of logs (even after they were deleted by the attacker (b) detecting the presence of malware and (c) being able to identify the host names that were connecting to Citrix Server 1 and track historical logins.
