COI Report – Part IV
Page
135 of
425 22.9 Assessment of IHiS’ incident response on 13 June 2018 407. The Committee finds that Benjamin’s response was, on many counts, timely and appropriate. He recognised that
the incidents were suspicious, took the initiative by investigating leads and acquiring forensic images, and even purchased extra external hard drives to do his work. He also kept his superiors,
Ernest and Wee, informed at all times. However, his response could have been improved in some respects a) First as observed by Vivek, some of Benjamin’s actions demonstrated inexperience and poor judgment. In particular,
Benjamin’s focus on shutting down systems that were exhibiting suspicious behaviour (
e.g. Citrix Server 1 and the PHI 1 Workstation) led to loss of potentially valuable forensic evidence. Abetter practice would have been to put the systems on a quarantine network
without turning off the power, for further study. b) Second, the fact that Benjamin was communicating over both email and TigerConnect was not ideal, as it led to fragmentation of information and confusion for recipients. Additionally, it made it hard to keep records
of the information flow, as TigerConnect chats are deleted after 30 days. This was not Benjamin’s fault, as no formal system of recording investigation findings was in place for use during incident response. Nonetheless, it would have been better for official modes of communication to be mandated and enforced to prevent confusion.
408. The Committee also notes that at the material time, there was no relevant playbook in the IR-SOP that could guide Benjamin in identifying the nature of and responding to the suspicious activities that IHiS staff had detected. The playbooks that were available
lacked details on the tactics, tools and procedures of advanced threat actors. As stated in section 18.3 (pg 104) above, the senior levels of IHiS’ management were alive to the risk of APTs from as early as August 2016. But this awareness was not reflected in the SOPs in place at the
