COI Report –
Part VIIPage
261 of
425 computers, users, and programs to perform their permitted critical functions within a secure environment 753. According to Leong Seng, the SCM IT network had preventive measures securing network traffic at every tier and every access point, including within and across the various sectors.
He added that prior to the Cyber Attack, IHiS had in place a range of preventive measures
to address network security, including a) Network firewalls, which segregate each network segment so as to ensure that only authorised network traffic is permitted to cross segments or zones, and which filter incoming and outgoing network traffic based onsets of rules b) Intrusion Detection and Prevention Systems (“
IDS/IPS”), which are used in SingHealth and H-Cloud to inspect network traffic in real-time, and to block and generate alerts for traffic associated with security risks and threats and c)
Proxy servers, which act as intermediaries between users and the internet.
754. However, the tools and technologies in place were shown to be inadequate during the Cyber Attack, in two respects a) callbacks to C (command and control) servers went undetected for months and b) lateral movement by the attacker through numerous systems similarly went undetected. SANS Institute, Network Security Resources.
COI Report – Part VII
Page
262 of
425 755. These two aspects of the attacker’s behaviour relate to the Command and Control and Actions on Objective phases of the Cyber Kill Chain Had the network
cyber stack been adequate, the Cyber Kill Chain may have been disrupted at either one, or both, of these phases.
37.4.1 A solution must be put in place to better detect and block malicious outgoing traffic 756.
C servers, to which callbacks were being made from compromised endpoints in the SingHealth network, were identified through malware and forensic analysis by CSA.
757. During the early stages of the Cyber Attack, outgoing communications with one C server were detected, but only by the
fortuitous actions of Benjamin, who discovered the callbacks in January 2018 when investigating a malware infected workstation. However, human error on the part of Benjamin resulted in this C not being blocked. Worse still, according to Ernest, the Senior Manager of SMD, communications with the C server
need not have been blocked, in any event, as it had not been confirmed as being a malicious C. The failure to have an effective solution to automatically detect and block malicious outgoing traffic had dire consequences as the C server was actively used throughout the attack in June/July 2018.
758. It is precisely to avoid errors in judgment like this, that Vivek has recommended the implementation of advanced detection tools for malicious traffic on all outbound internet traffic. This is important because most attacker communications would have to traverse the internet and so can be spotted with the right level of monitoring. Alerts should be configured such that every detection of C traffic is treated with high priority. The Cyber Kill Chain reveals the phases of a cyber attack from early reconnaissance to the goal of data exfiltration. See also paragraph 141 (page 51).
