Understanding digital clues key in cyber breaches: LogRhythm exec

In light of the recent SingHealth attack, Matthew Winter of LogRhythm discusses how such breaches can be prevented.

By

Understanding digital clues key in cyber breaches: LogRhythm exec

  • Big companies need to ensure that their weakest links are taken care of.
  • Singapore’s economic and geopolitical position will attract more cyber attacks.
  • Early detection involves understanding digital clues and fingerprints, says Matthew Winter of US-based cyber security firm LogRhythm.

Appointing a Committee of Inquiry.
Disconnecting work computers at public healthcare centres from the Internet.
Sending SMSes to those who were affected.
Debunking fake SMSes by those leveraging on this crisis.
Banks ordered to ensure that stolen data cannot be used by criminals to access customer accounts.

These are steps the Singapore government has taken to reduce the impact of the massive cyber attack it suffered earlier this month, which it announced to the public on July 20 this year. Hackers, suspected to be a state-sponsored group given the scale of the attack, had infiltrated the country’s national health group SingHealth and stole 1.5 million non-medical and 160,000 outpatient prescription records.

Non-medical records include name, NRIC number, address, gender, race and date of birth, which can be used for nefarious activities, including accessing banking or telecom information over the phone.

Prime Minister Lee Hsien Loong, whose records was also stolen, said in a post on Facebook that the attackers targeted his data specifically and repeatedly.

He added, “I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”

David Koh, Chief Executive of the Cyber Security Agency, a national initiative managing the attack, said to reporters in a press conference addressing the SingHealth breach that there is no strong commercial value linked to personal information stolen as the records are “basic demographic data”.

However, both cybersecurity and medical experts have concurred that such records can contain a trove of identifiable data about people, both public figures and the average person.

For example, outpatient prescription records can indicate the state of health the public figure is in and what diseases and illnesses they are suffering from. This can then be used as blackmail or to stir up unrest if released publicly. Additionally, the average person’s data can be used in identity theft or even by pharmaceutical firms to market various medications.

Cyber attacks are not rare in the private or public sector. US-based security intelligence firm LogRhythm published a benchmarking study this year, noting that 39 per cent of companies in Asia Pacific they spoke to reported experiencing a breach in the last year.

Matthew Winter, VP of Corporate and Business Development, LogRhythm

Matthew Winter, VP of Corporate and Business Development at LogRhythm told KrASIA that given Singapore’s strategic position as an economic hub, there will be more of such attacks targeting the city-state and the businesses that operate out of Singapore.

He also lauded Singapore’s decision to allocate a significant portion of its IT budget to security, and ranked it higher than many countries in Asia and beyond.

Singapore revealed its Fiscal Year 2017 budget for technology to be S$2.4 billion (around US$1.8 billion) with security totalling 22 per cent of the projected expenditure for IT.

Earlier this year, it also announced that it will set aside S$145 million (around US$106 million) to invest in its Tech Skills Accelerator, an initiative to drive further IT education.

“[Its further investment in cyber security] is an indication that I think Singapore’s on the right track in terms of ensuring appropriate cyber security levels,” he said.

Winter also spoke to KrASIA about state-sponsored attacks, the business implications, and how Singapore fared in this recent attack.

 

Questions and answers have been edited for brevity and clarity:

KrASIA: What’s the main difference that separates a state-sponsored attack from one organised by commercially motivated criminal groups?

Winter: I don’t think there’s a bright line that separates nation state from commercially motivated attacks. I think depending on the nation-state in question, those two could be the same. There’s certainly plenty of instances where nation-state sponsored attacks have been perpetrated for the purposes of acquiring an intellectual property or business know-how.

A nation-state has a level of resource that allows it to undertake the most sophisticated and advanced and frankly lengthy campaigns in order to achieve their objectives. So when you see a breach that is highly targeted and uses very sophisticated approaches I think those news reports are absolutely right that it is often indicative of the involvement of a nation state.

I think it’s important to realize that in today’s world you can rent, lease or buy capabilities that put even your individual groups on a very similar footing with nation-states in terms of capabilities. So there are criminal groups out there that are not affiliated with nation states that are very well funded and technically very capable. It’s not simply a group. It’s not simply a teenager in the basement. There are very sophisticated groups that can undertake these attacks all over a lengthy period of time to ultimately achieve their objectives. So it is true that when you see what you’re seeing with SingHealth – the probability leans towards a nation state. But it’s not an absolute. 

 

KrASIA: The attackers were in the system for a week before the unusual activity was detected. How serious is that?

Winter: If you look at the average dwell time for a threat today it’s measured in months. By that standard, it could be a lot worse than seven days.

Now that said, they had enough time to steal 1.5 million records. In a country the size of Singapore, that is a substantial percentage of the population whose data has now been taken. What this speaks to is the need for early detection and response of threats.

Singapore is home to around 5.6 million people

When you think about how a threat evolves, how a campaign is executed over time really starts by getting an initial look in into an environment whether that’s dropping key fobs in the parking lot or sending a phishing e-mail or sending them malware socially engineering a way in or even bribing someone just to get their credentials.

It starts with an initial hook. From there a threat actor wants to move laterally – low, slow and quiet – and they’re trying to stay low in the weeds and not be detected, escalating the privilege that they have in the environment until they’re ultimately able to achieve their objective. What businesses and government organisations need to do is detect the early signs of compromise and respond to them to thwart them as early in that the kill chain as possible before mission objective can be reached. In this case, that obviously didn’t happen until after the fact, after the breach and that’s obviously too late.

But I think it speaks to a need for that all businesses and government organizations have to detect threats as early as possible in their lifecycle.

 

KrASIA: How can businesses or government organisations prevent or detect such signs as early as possible?

Winter: Any time a threat actor is present in your environment, that threat actor will be interacting with systems, leaving digital fingerprints and clues behind in the log data, in the flow data.

There is always some sign left behind of where threat actors have been and so detecting the early signs of compromise that threat actor is in the environment, traversing laterally and in escalating its privileges in the environment.

Detecting those things, correlating them and understanding that changing behaviours in the environment that are indicative of compromise — that’s what needs to happen in order to attack this type of thing before the data records can be stolen.

 

KrASIA: Can you give us an example of some of these signs?

Winter: If you start seeing user credentials being used to access systems that user doesn’t ordinarily access in the normal course of doing his or her job, that is a sign that something is different. Now, different doesn’t always mean dangerous but it’s an early sign.

I think you can’t just discard every time you see something different. You also can’t just simply react to everything that’s different and new in your environment. It’s seeing that new behaviour with other behaviours: suddenly a system beckoning to known command and control or communicating with a known bad IP address outside of the business. Seeing a non-white-listed process started on a machine after this set of credentials was used to access that system when it’s never used to access that system. Put those two together, now that looks a lot more alarming.

 

KrASIA: What are the business implications?

Winter: Threat actors target businesses and organisations that have something of value whether it’s financial value like trade secrets, political value or even social value. Even in instances where the initial compromise isn’t within the target organisation itself. If a business partner may have limited value on offer to a threat actor but is relatively weak that attacks can take place where there’s a path to value.

Singapore is in a very strategic place economically and geographically in the region. I think businesses in Singapore need to realize that increasingly they are targets of interest for threat actors. Businesses in Singapore would be well-advised to look at this threat as a wakeup call. This should be looked at as an opportunity for them to re-evaluate their IT security programme and make sure that they’ve they’ve taken the appropriate precautions.

 

KrASIA: Should the government have the same sort of security measures as a private sector firm?

Winter: Depending on the value of what you have that is of interest to a threat actor that often dictates the measures that you should be undertaking to protect yourself.

I think governments, certainly in the United States, have tended to invest more than the private sector in protecting certain types of systems, simply because they have so much more data and they regard it as issues of national security.

There are instances where governments may have an obligation to actually invest more in cyber, given the responsibility that they have to the population. However, there are certain businesses that need to be looking at similar investment levels for themselves, given the fact that they are significant targets.

The real challenge is when the little company is the entry point getting to the big company.

I think if you’re a large corporate entity, you’re going to work with other vendors and enjoy the benefits of being able to allow them onto your network for maintenance or other legitimate business purposes, you do have a responsibility to make sure that that you’ve architected your security measures and network in a way that you can monitor how traffic from that vendor is entering your network and interacting with your systems and you need to make sure that that vendor has undertaken and implemented a certain level of security. So you feel reasonably safe.

I do think it’s probably incumbent upon the larger business to make sure its business partners are doing the right thing and they have to make sure that their systems internally are set up in a way to monitor and keep themselves safe.

 

Editor: Ben Jiang