Cyber Incident

Response PLAYBOOK
The purpose of the Cyber
Incident Response Playbook (IT)
is to define activities that should
be considered when detecting,
analysing and remediating Cyber
cyber incidents. Incident
Response
Containment
Cycle Eradication & Post-incident
The playbook also identifies the Preparation Detection
& Analysis Recovery Activity

key stakeholders that may be

required to undertake these
specific activities.
AN INITIATIVE BY THE SSA CYBERSECURITY SUB-COMMITTEE
 About this Cyber Incident
Response PLAYBOOK (IT)
We look forward to having our members benefits from the Incidents Response Playbook. With this reference, we can
be better prepared on our response procedures, conduct frequent drills and training for internal staff. Organisations
will be able to respond swiftly, systematically contain/eradicate the incident and maintain strong communications
with key stakeholders. Effective response and recovery is as important as protection and detection.
Leslie Yee, SSA Cybersecurity Sub-Committee Chairman, 2019/2021

THIS PLAYBOOK CONTAINS THE FOLLOWING SECTIONS:

Handling Handling Handling Handling Handling

Ransomware/ Malware Phishing Data DoS
CryptoLocker Infection Attack Breach Attack
 Cyber Incident RESPONSE Establishing an appropriate cyber
CYCLE security incident response
capability helps in assessing the
state of readiness so that an
organisation can prepare for a
The Cyber Incident Response Cycle consists of 4 stages: cybersecurity incident, respond to
a cyber security incident and
follow up and review a cyber
security incident.

Containment
Preparation Detection Eradication & Post-incident
& Analysis Recovery Activity

1. Preparation involves utilising anti-malware software and firewalls.

2. The Detection & Analysis phase uses technical or administrative security controls
to detect malicious activity in the environment,
3. which then flows into the next stage containment, eradication, and recovery,
with the implication that each may be repeated multiple times during a given
incident.
4. In the post-incident activity, this stage looks at understanding the cause of the
incident, reviewing how the program can be improved, with the proceeding to
start to implement improvements.
 Defining the ORGANISATION Depending on their complexity &
SECURITY LEVEL risk appetite, these levels can be
established with the assistance of
a company's IT department or a
Risk Level Evaluation cybersecurity services provider.
Severity Level Timeframe Escalation Next Level What is the impact?

Security Level 1:
Affected more than 50% of the IT system

1 Within 1 hour Deputy GM/CIO

The overall Company business affected
Business data integrity affected

Security Level 2:

2 E
At least 1 business function/operation

L
Within 4 hours Deputy GM/CIO affected

P
Material financial impact

AM Security Level 3:

3 X
Minor system failure has occured

E
Service Degradation has occured
Within 6 hours Deputy GM/CIO

Security Level 4:
Suspicious security issues detected by SIEM

4 Within 2 days Deputy GM

Issues already prevented by existing
security controls
Issues can be prevented by existing
security controls
Defining the
INCIDENT FLOW RESPONSE
Incident Reported
SOC Alerted
Internet Classification
The need to prepare people and
organizations for cyberattacks is
very important.
The recommended structure will
Detect be to have a team that looks at
1 Hour
Remediation, Analyze and Detect.

Severity
1-3
Classify 1 Hour
Alert CISO Severity
Severity
1 Hour 1-4 Analyse
Inform Business
Assessment
Owner, CIO, CEO
Daily Update at 6 PM
Escalate Severity
Inform Business Owner, CIO,
CEO

Containment

Remediation
Response Action

Closed
 How do you HANDLE Infections can be devastating to an
RANSOMWARE/CRYPTOLOCKER? individual or organization.

Also, recovery can be a

difficult process that
eraperP

Review latest Ensure access to

Review cybersecurity Maintain security
Start incident process and
procedure
Review recent
cybersecurity incident
vulnerabilities and
threat intelligence
documentation -
Network Architecture
awareness through
awareness training
may require the
Diagram
services of a reputable
data recovery
specialist.
tceteD

Report of ransomware Identify likelihood of Incident reporting

attack (service desk & Collate cybersecurity Escalate according
Activate SOC (CIRT) widespread according to incident
SIEM/SOAR) incident data severity (1-4)
ransomware infection response
esylanA noitaidemeR

Investigate Verify all infected

Engage IT Technical Scope of the ransomware in the assets are in the
Team attack/infection Identify the impact
secure/standalone process of being
environment quarantined

Conduct restoration Re-scan the system to

Containment/ Isolate affected
of affected system ensure no Restore the service
Quarantine affected system
ransomware
tnedicni-tsoP

Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
ransomware attacks
 How do you HANDLE Organizations should have a robust
MALWARE INFECTION? incident response process capability
that addresses malware incident
handling.

The first step is to

eraperP

Review latest Ensure access to

Review cybersecurity Review recent Maintain security
Start vulnerabilities and documentation -
incident process and awareness through
procedure
cybersecurity incident threat intelligence Network Architecture
Diagram
awareness training detect whether or not
your system truly has
been infected.
tceteD

Report of Malware Identify likelihood of Incident reporting

(service desk & SIEM Activate SOC (CIRT) Collate & classify Escalate according
widespread malware according to incident
/SOAR alert) cybersecurity incident severity (1-4)
infection response
data
esylanA noitaidemeR

Investigate
ransomware in the Verify all infected
Engage IT Technical Scope of the
secure/standalone Identify the impact asset are in process
Team attack/infection
environment being quarantine

Disconnect infected Ensure the latest Re-scan the system to

Containment/ system from the Restore the service
malware and anti- remove and ensure no
Quarantine affected network malware updated more Malware
tnedicni-tsoP

Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
malware
 How do you HANDLE There are several human and
PHISHING ATTACK? technological factors that companies
should consider to avoid falling
victim to phishing attacks.
It's also important to
eraperP

Review latest Ensure access to

Review cybersecurity Maintain security
Start incident process and
procedure
Review recent
cybersecurity incident
vulnerabilities and
threat intelligence
documentation -
Network Architecture
awareness through
awareness training
educate your
Diagram
employees about the
tactics of phishers.
Employees awareness is
tceteD

Report of phishing Incident reporting

email (service desk & Collate cybersecurity Escalate according
Activate SOC (CIRT) Identify spoof email according to incident
SIEM/SOAR) incident data severity (1-4)
response key.
esylanA noitaidemeR

Investigate receiver,
Engage IT Technical Scope of the verification of sender
Team attack/infection Identify the impact
and have recipient
account compromised

Suspend login Conduct password Blacklist the

Containment/
credentials for reset for affected user originator of the
Quarantine affected
compromised account account Phishing email
tnedicni-tsoP

Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
phishing attacks
 How do you HANDLE The most important step to take
DATA BREACH? after a data breach is to understand
the root of the issue.

Then, it's important to

begin notifying your
eraperP

Review cybersecurity Review latest Ensure access to Maintain security

Review recent documentation -
Start incident process and
procedure
cybersecurity incident
vulnerabilities and
threat intelligence Network Architecture
awareness through
awareness training
employees and your
Diagram
customers of the
breach. Problems such
Notification through
as these are best
tceteD

Report of Data breach Incident reporting

or compromise to customer, SIEM log Collate cybersecurity Escalate according
Activate SOC (CIRT) according to incident
service desk /alerts & business
users
incident data severity (1-4)
response presented upfront and
honestly.
esylanA noitaidemeR

Confirm the data Scope of attack Analyze data type and quantity to determine
Engage IT Technical involved -classification of the lost / compromised data whether:
Team (Customer/ - are customer affected Privacy breach
Organization) - Legal & regulatory requirement violated financial data loss

Review compromised Restore any corrupted or destroyed data

Containment/ Reset compromised account Restore any suspended service
Quarantine affected account password privileges/privilege establish monitoring to detect further suspicious
user access. activities
tnedicni-tsoP

Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
data breaches
 How do you HANDLE Recovering from a DDoS attack is no
simple matter, but once an attack is
DoS ATTACK? over, it is important to do a thorough
inventory of your systems and data.
Many times, DDoS
attacks are used as a
eraperP

Review latest Ensure access to

Review cybersecurity Review recent Maintain security
documentation -
Start incident process and
procedure
cybersecurity incident
vulnerabilities and
threat intelligence Network Architecture
awareness through
awareness training
smokescreen for
Diagram
another, more
sophisticated attack.
Type DOS symptoms
tceteD

DoS attack (service (slow access to files, Collate and classify Incident reporting
inability to access the Activate SOC (CIRT) cybersecurity incident Escalate according
desk & SIEM/SOAR) according to incident
website, internet data severity (1-4)
disconnection) response
esylanA

Confirm system/ Scope the attack

Engage IT Technical analyse the flow of attack
application being
Team Collate timeline of event from when the attack was first detected
targeted Collate the type of DOS attack if we know at this stage
noitaidemeR

Decide whether
Implement immediate step to Business Continuity Consider filtering Placing IP restriction on affected system
mitigate e.g request ISP to drop all Plan (BCP) plan traffic at ISP level
traffic targeting affected system should be enacted
tnedicni-tsoP

Internal
Draft the post- Incident reporting and communication to
incident report lesson learnt educate end users for End
attack
Prepared by:
Chairman of Cyber-Security Sub-Committee - Mr Leslie Yee, PIL
Vice-Chairman of Cyber Security Sub-Committee - Mr David Aw, PIL
Members Review:
Naveen Selvam, ABS Group
Duncan Ng, MSC

References:
1. NIST Cybersecurity Framework
2. BIMCO - The Guidelines on Cyber Security Onboard Ships
3. The Singapore Computer Emergency Response Team (SingCERT) - Report a Cyber-Incident to SingCERT
To report an incident, please call the SingCERT hotline at 6323 5052. Alternatively, please email SingCERT
at singcert@csa.gov.sg

Revision Date: June 2021

For any queries, please contact haniza@ssa.org.sg