Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 295 of 425 teaming can be more effective invalidating the people, processes and technology of an organisation. 853. According to the CIS, “Red Team exercises take a comprehensive approach at the full spectrum of organization policies, processes, and defenses in order to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficacy of defenses and mitigating controls already in place and even of those planned for future implementation”. 73 854. In this Cyber Attack, CSA found that the attacker was a skilled and sophisticated APT actor who employed advanced network intrusion techniques and customised malware to evade security measures. Given that APT attacks are likely to become more prevalent, Dan recommended that organisations may consider red teaming to fully appreciate the vulnerabilities present in their networks. This is because there are limitations to penetration testing. Penetration test teams have a limited amount of time with a system, and would look for the easiest or most time-effective way to gain access to the system. In contrast, APT attackers could wait patiently for months or years in a network. The vulnerabilities identified in a penetration test may thus not be comprehensive or indicative of all the vulnerabilities present in a network that could be exploited. 855. Kim Chuan testified that the Clusters' internet-facing systems are subject to internal ethical hacking, which can be considered to be red teaming activities. He also explained that efforts were being taken to conduct similar activities on Clusters internal systems. 856. Dan explained that where such a function is done internally, the term is either blue team or white team. The key is that red teaming is to be done by someone who is not involved in the daily operations, as well as not involved in 73 CIS Controls Version 7 at control 20: Penetration Tests and Red Team Exercises.
