Threat Hunting: Singapore’s New Cybersecurity Regime

Jeremy Ho 23 November 2022


This article delves into new legislative actions in Singapore and how they affect the steps firms should take to identify threats to their digital security. Cybersecurity remains a top concern for wealth managers, especially given the financial sums at stake.

New cybersecurity legislation in Singapore is designed to raise the game in fighting this menace, one that those working in wealth management need to be mindful of. To discuss developments in the jurisdiction is Jeremy Ho (pictured), marketing director for Southeast Asia, Hong Kong, and Taiwan at SentinelOne, a specialist firm operating in the cybersecurity space. The editors are pleased to share these thoughts and invite responses. The usual disclaimers apply. Jump into the conversation! Email

Last month, the Cyber Security Agency (CSA) announced that it had established an interagency counter-ransomware task force to tackle a growing concern in Singapore. The task force’s mission is to develop and make recommendations on policies, operational plans, and capabilities to improve the country’s counter-ransomware efforts. 

Establishing the task force aligns with another CSA effort launched earlier this year to protect the long-term security of Singaporean businesses. The Cybersecurity Code of Practice for Critical Information Infrastructure – Second Edition, which built on the Cybersecurity Act 2018, published new requirements for Critical Information Infrastructure Owners (CIIO). CIIOs must proactively search for signs of malicious activity within a Critical Information Infrastructure (CII), which they call threat hunting. 

CSA believes that detection requirements such as threat hunting will help the CIIO understand and implement the required people, processes, and technology needed to detect malicious activity and vulnerabilities. This includes monitoring traffic and logs, as well as searching for any signs of malicious activity. 

From July 2022 onwards, all CIIs operating in Singapore are required to conduct threat hunting once every 24 months. This is applicable to all services rendered, including any outsourced activities to a third-party vendor. The CIIO is accountable for the entire CII's cybersecurity posture and has 12 months to comply with the regulation. CIIs include government agencies, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security, emergency, and media companies. 

What is threat hunting?
According to the legislation, threat hunting is “a proactive effort to search for signs of malicious activities that have evaded security defences within the CII.” Threat hunters can uncover hidden threats that may be waiting to execute an attack or find events that have already compromised the environment. 

Effective threat hunting helps uncover hidden advanced persistent threats (APTs), cybercrime, policy misuse, insider threats, poor security practices, and environmental vulnerabilities. The activity aims to identify attacks that slipped past your business's defensive shield. 

Complying with threat hunting legislation
To be compliant, organisations must collect and store logs of all attempts to access the CII and several network connection attempts from both within and outside the CII. Organisations also need to collect and store firewall logs, DNS logs, web proxy logs, and NIDS/NIPS logs. 

To complicate matters further, the logs must use a consistent time source, be protected against unauthorised access, and be stored for a minimum period of 12 months. They must be monitored by a log retention policy and have a log file structure that facilitates analysis. These logs must be handed to the CSA commissioner upon request for threat monitoring, threat analysis, threat alerts, and threat response.

Singaporean CIIs have until 4 July 2024, to conduct their first threat hunt. After that, they must complete a threat-hunting exercise every 24 months. Any cybersecurity risks that are identified during the threat-hunting exercise must be included in cybersecurity risk assessments to ensure that any found threats are assessed, mitigated, and tracked. Additionally, they must investigate those threats to determine whether any incident took place in the past. If an incident was uncovered, the CIIO is responsible to lead applicable incident reporting, response, and recovery plans. 

Threat hunting in practice
While the concept of threat hunting seems reasonable, it is quite difficult to do in practice. Threat hunting across various security technologies' disparate log data is demanding; this is why XDR vendors are able to offer a much more efficient solution to threat hunting. Collected endpoint data includes all network connections, file events, and registry events. This creates a rich hunting ground to proactively identify hidden threats, risks, and vulnerabilities and empower your team to proactively mitigate risks that degrade your security posture.

However, even with access to this vast collection of data, it is still challenging to effectively threat hunt without a full-time team of threat intelligence experts, malware reverse engineers, hunters, and investigators. For this reason, cybersecurity vendors offer a threat hunting/compromise assessment service. For example, some cybersecurity vendors provide expert hunters who will leverage their proprietary hunting methodology and intelligence enrichment to hunt your global environment and provide a prioritised roadmap of identified threats and risks with mitigation guidance for every finding.

Benefits of threat hunting
Threat hunting allows CIIs to proactively get ahead of the latest threats by hunting for malicious activity. It helps to improve a CII’s true risk posture and prevent any number of cyber incidents from progressing into full-blown attacks. When threat-hunting activities are complete, they provide confidence and peace of mind to CIIOs who no longer need to worry about latent threats hiding within the network. 

Strengthening your security posture
Threat hunting is an important element in building up a CII’s security posture. However, for Singaporean organisations to comply with the directive, they need to ensure that they have the right tools and processes in place to conduct the hunt. Otherwise, they may pass over a threat that is hiding in plain sight.

About the author

Jeremy Ho brings forth 20 years of experience in cybersecurity, ranging across sales and technical functions – taking new offerings into the market, with proven track records of building businesses and overachieving. Ho is also an experienced manager who oversees a multi-national team across the APJ region – covering both direct and indirect selling through channel partners.

Register for WealthBriefingAsia today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes