Table of contents exchange of letters with the minister executive summary

Predefined modes of communication must be used during

Download 5.91 Mb. View original pdf Page 257/329 Date 27.11.2023 Size 5.91 Mb. #62728

Navigate this page:

• COI Report – Part VIIPage 320 of 425

41.2 Predefined modes of communication must be used during incident response 930. Communication and coordination between members of the CERT, and between the CERT, SIRT and management, is critical. 931. During the Cyber Attack, as observed by Vivek, communication within the CERT was “ad-hoc using various means such as TigerConnect chat, WhatsApp, emails, Excel sheets, PPT and other undocumented discussions”. In Vivek’s expert opinion, this lack of formal coordinated communication impacted the investigation in more ways than one – critical information was not captured properly, captured in a fragmented manner, or was not shared with, or communicated clearly to, the relevant individuals. For example, there were various occasions in June and July 2018 when Benjamin had shared his ad hoc observations on the incidents in the SingHealth network with Ernest and Wee via Powerpoint slides, but both Ernest and Wee had difficulty understanding the significance of the information Benjamin was sharing. 932. In the absence of a coordinated system for communication, it proved to be a major challenge to find, coordinate and communicate with the key parties involved in responding to the incident. Vivek also observed that “[i]mportant action items were not tracked and followed upon i, and cited the following particular examples a) The user account for Workstation A had been identified as an account involved in suspicious activity as early as January 2018 but no action was taken on this finding and it was not tracked to closure. In fact, the user account for Workstation A later played a significant part in the Cyber Attack in June 2018, when it was used to access Citrix Server 4 from workstation VM 2; and b) There was no followup on other instances of access to a foreign IP address logged in the PHI s firewall logs in January This COI Report – Part VII Page 320 of 425 proved to be significant, as this IP address belonged to a malicious C server that was later used during the Cyber Attack. 933. In Vivek’s expert opinion, it is possible that investigation and proper followup on the above activities would have offered the CERT a chance to hunt the attacker before he did further damage during the Cyber Attack. 934. Accordingly, a formal method of communication should be established by IHiS led by the CEO, in the form of a centralised communication dashboard. This central dashboard would display all the details of the current state of investigations, allowing all members of the incident response team to keep abreast of developments and retrieve the information necessary to perform their roles. This would provide a more coordinated means of communication and would serve to document all communications, and limit the disruption and confusion arising from constant messaging across multiple platforms. Multiple streams of communication across different channels could otherwise overwhelm individuals and lead to missed messages or conflicting information. 935. For example, there was no centralised way for members of the CERT to ascertain whether items were being followed upon. In January 2018, Benjamin had already discovered that there were instances of callbacks to a suspicious IP address from PHI 1 and SGH. He arranged for this IP address to be blocked from PHI s network, but not from the SGH network. Benjamin sent an email to Ernest and his other colleagues from SMD, but did not followup and was not personally aware if anyone had blocked the suspicious IP address from the SingHealth network. In fact, no one did. A centralised communication dashboard can also help in managing, tracking and segregating information and updates relating to multiple concurrent investigations that maybe ongoing. Download 5.91 Mb. Share with your friends: