COI Report – Part II
Page
40 of
425 111. SingHealth’s SIRM is Ernest.
The SIRT reports to the SIRM, and the
SIRM plays a key role in leading and coordinating technical incident response, namely to “
lead the effort of the (SIRT) and coordinate activities between all of its respective groups” and to “
receive the initial IR alerts and responsible for activating the IR team and managing all parts of the IR process”.
112. Of note is the SingHealth Computer Emergency Response Team
(“
CERT”), the first responders who are responsible for performing incident analysis to determine the scope
and nature of the incident, collect forensic evidence, tracking or tracing the intruder, and providing onsite assistance to help with incident recovery. The three-man CERT was established in March 2018. Benjamin is the one member of the CERT who has attended an incident response course (“
Hacker Tools, Techniques, and Incident Handling” by SANS Institute, while the other two members have not received any formal incident response training.
113. Also included in the IR-SOP is a set of Security Incident Response Plans, or playbooks, that provide a step-by-step guide on the SIRT’s incident response for specific scenarios. Hann Kwang explained that the playbooks were
targeted in terms of malware, ransomware and website defacement, as this was based on the threat intelligence for the healthcare sector “
for the last 1, 2 years”. There was no playbook on attacks by Advanced Persistent Threats, and the existing playbooks lacked details on the tactics, tools, and procedures of advanced threat actors.
Share with your friends: 
