Diving Head First Into the Aftermath of a Cyber-Attack

Like firefighters and the police, Cherri Chew’s job as an incident responder means she’s usually among the first to react and render aid. The difference is that instead of saving lives and property, Cherri tries to mitigate the harm to consumers and businesses from malicious cyber-attacks.

After reading multiple reports about how Singaporeans were falling for online scams back in 2015, the 23-year-old computer science graduate was determined to pursue a career in cybersecurity. She then decided to join the newly-minted Cyber Security Agency of Singapore (CSA) and is a member of its Singapore Computer Emergency Response Team (SingCERT).  

“I thought if I was aware of the cyber incident trends, I could advise my family and friends on how to avoid them,” she says.

We caught up with Cherri to find out more about her role and recounts her experience dealing with the WannaCry ransomware attack and other malicious cyber threats.

What do you do at SingCERT?

As an incident responder I give recommendations to businesses and members of public on what they can do when their systems or networks are compromised in a cyber-attack. Examples of cyber-attacks include website defacements, DDoS (Distributed Denial of Service) attacks on the servers, and phishing. The types of cyber-attacks out there vary in nature and scale, and require different methods of resolution.

In website defacement or DDoS attack cases, we typically request for web server logs for analysis and to determine the root cause of the attack. In phishing cases, we will identify the phishing website’s IP address and work with the hosting provider to take it down. SingCERT also receives information from the National Cyber Threat Monitoring Centre about the potential threats to Singapore. When a high potential threat is identified, I will put together a detailed advisory to publish on our website, social media and through e-mail. This way, businesses and the general public are informed of the measures to take to safeguard their internet-connected devices.

Cherri at work in the National Cyber Incident Response Centre (NCIRC) Operations Lab, with her colleagues at SingCERT

What’s one thing about your job that most people don’t know?In a typical day, a server log can contain an average of 3,000 to 4,000 activities. However, in the event of an incident and depending on its scale, we sometimes need to retrieve as much as one month’s worth of server for examination, within one to two working days. We will go over every single activity performed with a fine-tooth comb and look out for anomalies, such as a sudden spike in data traffic originating from a certain IP address in the case of a DDoS attack. At first, I found it daunting to examine tens of thousands of server activities, but I do feel a great sense of achievement and relief whenever we are able to locate the root cause of the incident.

From your experience, which is the most damaging form of cyber-attack?

Ransomware. It is a type of malware that holds a victim’s files, computer system or mobile device ransom, restricting access until a ransom is paid. There are many variants out there, but there isn’t a decryptor for all. If you happen to be attacked by one that doesn’t have a decryptor, and you don’t have regular backups of your files – unfortunately, you won’t be able to recover them.

Anyone – individuals or businesses – can be a victim of Ransomware. During the ransomware attack in May 2017, I came across someone who lost all his data which he relied on to run his business. As a result, his business operations were affected and there were financial implications. Should such cyber-attacks happen to our Critical Information Infrastructure (CIIs) that provides essential services, there could have major repercussions. For example, if a hospital or a clinic whose patients’ records have been erased, your doctors can’t prescribe medicine without the patient’s medical history. The best protection against ransomware is to prevent it from happening. By practising good cyber hygiene such as updating our software regularly and following internet browsing best practices, we can better protect ourselves against ransomware. 

Speaking of ransomware, how did SingCERT react to the global WannaCry ransomware attack in 2017? What role did you play?

We immediately went on heightened alert, which means that we were on call 24/7. We issued an advisory on ransomware to inform the public on what they could do to mitigate it. Even at home, we attended to queries, for example, how to clean up and patch one’s system, how to prevent ransomware from happening etc.

Through open source feeds, SingCERT identified 500 IP addresses that could be affected by WannaCry. We worked closely with the Info-communications Media and Development Authority to inform the parties with the affected IP addresses and taught them how they should clean up their system.

What are some common misconceptions the public have about cybersecurity?

Many people think that only businesses get hacked because hackers have more to gain from them. But in the eyes of cyber criminals, anyone can be a target as all of us hold valuable information such as credit card details.

Many people think that having a different password for different accounts is enough. The fact is, hackers can crack passwords easily. Our advice to the public is to have basic cyber hygiene and one tip is to have strong passwords – one that is long and random. For additional security, you should also opt for two-factor authentication whenever this option is available.

How would you explain what cybersecurity is to your grandmother?

It is like the lock you use to secure your home. Cybersecurity protects you and your personal belongings from burglars. My role at SingCERT is to advise users how best to ‘lock their doors’ and keep their devices secure.

Complete the sentence: Cyberspace without security is like… a bank with an open vault.

For more information about SingCERT and to stay updated on the latest alerts, visit www.csa.gov.sg/singcert

This article was reproduced with permission from the Ministry of Communications and Information.