Fighting cybercrime, CSI style
Studying clues and tracking malware are all in day's work for cybercops
Mr Dean Eng is at the front line of Singapore's cyber security defences.
The 28-year-old is a systems engineer at Singapore's Cyber Security Agency (CSA), which was set up in April last year to protect national IT systems from cyberthreats. The CSA reports directly to the Prime Minister's Office.
Managed by the Ministry of Communications and Information, it also works closely with the private sector.
At CSA, Mr Eng is part of a team of 50 systems engineers, which includes forensic and malware analysts. The team is responsible for keeping our digital doors sealed against cyber attacks.
When these attacks do sneak through, the team has to "quarantine" the infection and investigate how and why the breaches happened.
Said Mr Eng: "We need to know why they happened, how they happened and who was affected. Did the attack target a few people, or everyone in the network?
"Furthermore, computer malware evolves and no two cases are exactly the same. It's not an easy job."
Singapore is taking new measures to ramp up its cyber security.
Starting next May, all computers used officially by public servants, except teachers, will not have direct access to the Internet.
The move is "absolutely necessary" to keep government data secure, said Prime Minister Lee Hsien Loong earlier this month.
In the past year, 16 attacks on government networks made it past firewall systems. The malware was detected and destroyed, thanks to defences put up by cybercops.
Recently, Malaysia's national cyber security agency found that more than 2,100 servers in Malaysia had been hacked.
According to Mr Eng, digital attacks can come from many sources. These include phishing e-mails, where attackers pose as individuals or reputable organisations to try to obtain the personal information of network users.
Both phishing e-mails and infected thumbdrives can carry malware.
For example, ransomware, a new form of malware that locks up files or computer systems. These files might contain sensitive information. It then demands a ransom in the form of virtual currency, such as bitcoins. If the ransom is not paid, the data is not unlocked.
Cyber attacks can also cause physical damage.
In 2010, Stuxnet, a malicious computer worm, targeted machines using the Microsoft Windows operating system. It physically destroyed equipment controlled by the machines and seized control of their operations.
Due to the increased frequency of such attacks, forensic analysts like Mr Eng cannot rest on their laurels.
Said Mr Eng: "We try to predict what will come next, the rate of the attack, and when it will take place."
Sometimes, the team is alerted to cyberthreats in the private sector, such as the banking industry.
In these cases, forensic cops will head to the crime scene to collect evidence such as infected computers. Then, they take apart the evidence carefully - much like investigators in the US TV drama CSI.
For instance, Mr Eng uses a "cloner" machine to make a copy of the contents in an infected computer's hard drive. By reading the code, he can examine the extent of the damage as well as the source and nature of the malware.
The code is then incorporated into the system's defences so similar attacks can be denied entry.
According to a report by global research and consulting firm MarketsandMarkets, the global spending on cyber security is expected to grow from US$75 billion (S$100 billion) in 2015 to US$170 billion by 2020.
Mr Eng's interest in cyber forensics has its roots in his childhood.
As a child, he would dismantle broken clocks and fix them.
He said: "Cyber forensics is a similar concept, because you're constantly analysing and improving network defences.
"The most important thing is to never make assumptions about the nature or type of cyber attack. Let the evidence, such as the software code, tell the story."
Computer malware evolves and no two cases are exactly the same. It's not an easy job.
- Mr Dean Eng
MAJOR CYBER ATTACKS
ATTACKS IN S'PORE
1. A 36-year-old hacker who called himself "The Messiah" was jailed for four years and eight months in January last year after pleading guilty to 39 charges of computer misuse.
In 2013, he had targeted computer servers of at least seven organisations including the PAP Community Foundation and Ang Mo Kio Town Council, in what the prosecution called the most serious incident of hacking brought before a court here.
2. In 2014, there was a security breach of the Ministry of Foreign Affairs' IT systems, one of the more serious attacks against the government's IT networks. Steps were taken to isolate the affected devices and security measures were implemented to strengthen the networks .
3. In 2009, there was a series of attacks in the run-up to the Asia-Pacific Economic Cooperation (Apec) meetings held in Singapore. At least seven waves of malicious e-mail attacks were detected, targeting the Apec Organising Committee members and delegates of various Apec countries.
1. Often referred to as "the world's first digital weapon", Stuxnet was reportedly a jointly-built US-Israeli cyber weapon that could physically destroy targeted computers.
The malware was designed to infiltrate Iran's computer networks and cause the nation's centrifuges to spin out of control, causing damage to critical equipment.
In 2010, Stuxnet is believed to have destroyed 1,000 of Iran's 6,000 centrifuges.
2. In 2008, a flash drive was inserted into a US military laptop at a US army base in the Middle East. A code, placed on the drive by a foreign intelligence agency, uploaded itself onto a network run by the US military's central command.
It spread undetected, allowing data to be transferred to servers under foreign control. It took the Pentagon nearly 14 months to clean out the worm - a process the US military called Operation Buckshot Yankee.