Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 323 of 425 41.4 Information and data necessary to investigate an incident must be readily available. 939. Alack of information in the early stages of the incident response process has negative knock-on effects for the entire duration of the incident response. Responders will struggle to assess the impact of the attack, contain the damage, and escalate to management. As regards the Cyber Attack, investigations were hampered by the SMD team for SingHealth’s inability to promptly obtain accurate information and data. This led to delays which proved to be significant. Two examples were observed by Vivek: a) The CERT had to physically visit affected sites to obtain forensic images of the compromised workstations. This slowed down investigations considerably as the team would have to first locate, then subsequently arrange to visit and seize, the machines. Workstation C took five days to be located and was picked up only on 18 June 2018. Such delay would have given the attacker valuable time to penetrate deeper into the system. b) The CERT did not have direct access to logs. Again, this created delay that could have been exploited by the attacker to penetrate deeper into the system. 940. Specifically, in relation to the two issues above, CERT should have direct access to the logs and asset management should be reviewed to accurately reflect the location of assets, so that action can betaken immediately at the desk side, if necessary. These issues should be addressed by the CERT working closely with IT staff, particularly of the Delivery Group, to understand what data sources they have, what data they are capable of producing, and how the data can be managed and accessed when needed, during an investigation into a security incident. Engaging the staff who manage the various systems, and evaluating the asset management system will help in uncovering the full range of potential data sources.
