Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 256 of 425 classification) being regarded as being of low risk. Consequently, endpoints have less coverage in terms of defensive, preventive and detection controls. Attackers know this, and exploit this vulnerability by targeting endpoints as part of their modus operandi. 739. Endpoints are the common points of ingress for attackers, and the platforms from which an attack is propagated, after initial breach is achieved. Further, multiple endpoints maybe compromised during lateral movement, as the attacker navigates the network towards its end objective. 740. Given the nature of the advanced cyber threats that organisations now face, conventional signature-based and prevention-oriented solutions are insufficient. The conventional technique for detecting malware is to check to see if a program or process has been previously identified as being malicious. These checks depend on signatures that have been identified as being associated with the program or process – the name of the program or process, the size of the program, the date when it was created, a hash of the program etc. A signature-based approach to detection has two primary weaknesses. First, it is easy to alter the malware code without affecting what it can do. An unlimited number of functionally equivalent variants of the malware can thus be created with different signatures, thereby frustrating signature-based detection. Second, signature- based detection cannot identify a program as a virus or malware if the program has never been seen before. 741. Further, anew type of so-called fileless malware has emerged. Unlike attacks carried out using conventional file-based malware, intrusions using fileless malware do not involve attackers installing malicious programs on a victim’s computer. Instead, tools that are builtin to Windows (for example, PowerShell) are abused by attackers and used for malicious purposes. The fact that conventional file-based malware is not used is significant, as this means that there is no signature for antivirus software to detect. Fileless malware cannot only slip into a system without being detected by signature-based endpoint
