Personal data of 1.5 million SingHealth patients has been compromised in what is being described as Singapore’s worst data breach to this day.
According to analysis of the SingHealth breach by multiple sources, including the Cyber Security Agency of Singapore, the attack was a sophisticated one. The attackers are said to have had a high level of sophistication, following user-whitelisted paths, using stolen credentials, and exfiltrating data.
Even though the attackers were sophisticated, the attack pattern itself was actually quite predictable—it followed a typical kill-chain pattern of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective. The high sophistication level of the attack is what prevented it from being detected with standard tools. The predictable kill-chain pattern, however, is what would have allowed cyber deception to detect and block the attackers, had cyber deception been deployed along the attackers’ path.
- Initial infection – According to analysis of the attack, the initial breach was executed by infecting a front-end workstation. The attackers then leveraged user credentials from that workstation in order to gain access to SingHealth database systems. This is the most common attack scenario, where attackers breach a weak link, and use that beachhead to further infiltrate the organization and obtain access to critical assets. This pattern of using user credentials obtained from compromised machines is where deception is most relevant because it seeds all front-end workstations (and servers!) with deceptive credentials. As soon as attackers pick up and attempt to use those credentials, they are detected with a high level of fidelity.
- Infiltration – One of the advantages of deception is that it is a quiet technology that doesn’t generate noise unless an attacker is really at play. Typical users should not be accessing the deception elements, so if they are used, it means someone is touching data they shouldn’t be. This allows deception to be deployed without worrying that it will generate extra work for the security teams; it is quiet until something bad is happening—then it immediately raises an alarm.
- Data exfiltration – The next step where deception would have been effective is during the phases where attackers obtained and exfiltrated the data. By seeding the health records with deceptive data and documents, it would have been possible to see that data was leaving the organization (by correlating data transfer with deceptive information). HoneyDocs, which are documents that beacon an alert when they are opened, could also have been used for this purpose.
- Investigation – Deception would also have been useful during the investigation phase that took place starting July 4th, as it would have allowed defenders to push attackers into a contained environment. There, attackers would have been led to believe that they were still actively exfiltrating data from SingHealth, while in fact they would have been monitored to allow defenders to gather forensic data to prevent these attackers from carrying out further attacks or returning.
One of the main lessons we can take from this incident is that breaches keep happening, and existing network and endpoint solutions are ineffective in fully stopping them. It is up to us as defenders to pick up new techniques and technologies to ensure we stay ahead. Deception is such that, by using attackers’ predictable methodology patterns against them, it gives defenders the upper hand.
Irene Abezgauz is Co-Founder and VP Product of Cymmetria, where she uses her technical background to lead product design, and also helps to plan the company’s roadmap. Her experience lies in building successful cybersecurity products and bringing them to market.