WEBINAR | From Deal to Defense: Unifying Cybersecurity Post-M&A
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 15, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
On 10 January 2019, Singaporean authorities finally released a report detailing how the attack against Singapore’s largest group of healthcare organizations, SingHealth, occurred. The breach took place between August 2017 and July 2018, resulting in the compromise of 1.5 million patient records, including personally identifiable information (PII) such as medical records, prescriptions, full names, National Registration Identity Card (NRIC) numbers, addresses, and dates of birth. In our last extended edition of ShadowTalk, Dr Richard Gold joined me to discuss the implications of the report.
Perhaps unsurprisingly, the attackers did not use a dreaded zero-day exploit for initial intrusion. Early reports suggested the attack started through a phishing attempt. The authors of the final report said they were unable to nail down the initial vector; however, they also suspected it was phishing.
One compelling hypothesis doing the rounds on social media is that the attackers achieved their intrusion through an open source penetration-testing toolkit called Ruler. Here the attackers seemingly targeted a known vulnerability that SingHealth had failed to patch. This vulnerability allowed the attacker to modify a user’s Microsoft Outlook homepage. Armed with credentials, the attackers feasibly could have logged in to Outlook Exchange as that user and set their Outlook to be a piece of malicious code. If this hypothesis is true, then in essence this is a fully-remote attack conducted using Ruler, rather than a phishing attempt.
Another point to note is that the attackers were in the network for at least a year. Once they broke in, they then laid dormant for several months before moving laterally within the network and accessing the medical database they were after.
The post-mortem report states that personal and outpatient data belonging to Singaporean Prime Minister, Lee Hsien Loong, was repeatedly targeted and accessed, which indicates there may be a political aspect to this attack. Nevertheless, with over 1.5 million records stolen, other motives beyond political-espionage need to also be considered.
If we think of how this data can be monetized, the detailed personal data included in the database can be used for financial purposes such filing fraudulent tax returns, or credit card and loan applications. With this amount of detailed information on an individual, you can effectively authenticate as another person. If combined with other datasets such as travel records or hotel stays – as seen in the Marriott breach – then this could be significant from a counter-intelligence perspective. There is therefore an overlap here between political-espionage and financial uses for the data.
Attributing attacks to Advanced Persistent Threat (APT) groups is fashionable, and we generally look at such claims with a degree of skepticism. In this case, however, there does appear to be some truth in it.
If we look at characteristics of the attack, the level of persistence displayed by the attackers fits the profile of an APT group. The attackers accessed a Citrix virtualization environment that allows you to connect to backend databases, including ones holding medical data. Here the attacker was able to gain access to the Citrix environment through credential reuse, but once they got in, there were a number of different servers and not all of these had the access they required. They tried numerous ways to access these and it is this tenacity that demonstrated the attackers had a goal – or set of goals – which they were clearly very motivated to achieve. In other words, they moved around the environment until they obtained the credentials they needed and the appropriate server to access the medical database.
This does not appear to be an opportunistic attack: for example, one where the attackers hoover up everything and anything they can find. Instead they specifically wanted access to a particular database. In the end, all these different attempts were what alerted the administrators that something suspicious was happening.
There are both technical and process failures here that we should pay attention to. On the technical side, we saw known vulnerabilities being exploited when patches were available. The organization had recently employed penetration testers whose findings were ignored. The tests addressed a lack of network segmentation (which allowed attackers to move laterally), and no multi-factor authentication for administrator accounts.
With regards to process, two key findings stand out. First, the report authors judged that the staff didn’t have the appropriate cyber security awareness or resources to respond effectively to the attack. While they picked up the activity, they didn’t understand it in the context of what APT attacks looks like, which severely limited how they could respond.
The second point is that key security personnel (those in charge of IT, security, incident response, and reporting) failed to take timely action. Put another way, those making decisions didn’t make any decisions. Something as significant as the Prime Minister’s medical records being repeatedly targeted and stolen should have been escalated to the Singaporean Cyber Security Agency (CSA), which has a background in APT activity. The security management personnel in question did not seem to know what a security incident was or how to respond. For example, they made unrealistic demands such as needing 100 percent confidence that it was malicious activity (you are never 100 percent sure until it’s too late). Even more alarmingly, they were reluctant to escalate the issue in case it was a false alarm and it would not reflect well on them.
For more analysis of the SingHealth breach post-mortem report, listen to the full episode of ShadowTalk: Episode 57: Singapore Healthcare Breach.
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.