COI Report – Part VII
Page
405 of
425 (i) Unauthorised modification of content or data (unexplained
or unauthorised code changes, compromised/defaced website,
etc.)
1175. It is important that the IR plan emphasises that
context is crucial to understanding whether a cyber attack is taking place. For example, a single ping a utility used to determine whether a specific Internet Protocol (“
IP”) address,
or host, exists or is accessible) on the network initiated from an external source may require minimal, if any, response. No mitigating actions maybe necessary since no harmful effects were caused by the incident. However, a suspicious pattern of pings on the communications network initiated from an external source or a specific malicious security incident would require a more detailed response,
mitigation steps, and more detailed documentation of the incident and outcome. Again, it must be highlighted that employees must look at the indicators
cumulatively, and not in isolation, to determine if an attack is in progress.
1176. There should be a particular focus on
familiarising staff with APTs, as the signature feature of an APT attack is its propensity to remain under the radar, exploiting weaknesses in the ability of employees to detect and respond to subtle signs of attack. The Committee was informed that IHiS is adding a playbook for APT. IHiS should consider automating the playbook as an online knowledge retention tool for the purpose of guiding frontline responders. The plan should also familiarise staff with indicators of attack. Some suggested indicators are in the following sections.
49.3.1 Suspicious Privileged Account Activity 1177. As
was seen from the Cyber Attack, should an attacker gain access to a user account on the network, the attacker will often seek to elevate the account’s privileges, or use it to gain access to a different account with higher privileges. Staff need to be told to watch out
for out-of-hours account usage, and account activity which is out of character for that particular user,
etc.
