Looking for clues of a cyberattack is no easy feat. Cyber security analysts comb through masses of data in search of anomalies – akin to looking for a needle in a haystack.

Wang Pei Fen, Systems Engineer at the Cyber Security Agency of Singapore’s National Cyber Incident Response Centre, analyses months of log files to look for hints of a breach.

She shares what goes on during a cyber incident investigation.

What sparked your interest in cybersecurity?

My journey in cybersecurity began in university where I was a student majoring in Information Systems. There, I was exposed to the different aspects of cybersecurity and how it applies to our everyday lives. I learnt about the dangers lurking in the background when we use our computers and mobile devices, and the risks we take when we trade-off cybersecurity for convenience, for example, performing a financial transaction while connected to an unsecured public Wi-Fi network. I soon realised that the acquisition of cybersecurity knowledge and skills can help me to protect myself and the people around me.

Tell us something interesting about your job that not many people know about.

During a cyber incident investigation, we don’t just deal with one machine image or a single log file; instead, we need to check through multiple images and months of log files to look for clues of the attack. We study the network infrastructure, look for anomalies by going through events on every log file, and perform forensic analysis on the images. Such investigative efforts require a team with various technical knowledge to piece all the information together and form a bigger picture of the incident. The process may be time-consuming, and there could be many dead-ends. However, the one clue you find may just be the key to solve the puzzle. Hence, we must always be patient and meticulous in our investigations.

What is a typical day at work like for you?

I respond to cybersecurity incidents affecting members of the public and enterprises in Singapore. These incidents are usually reported to us via various reporting channels such as our incident reporting form, email or hotline.

First, I conduct triage and analyse the information provided to gain a better understanding of the incident. Based on the analysis, I provide advice to the reporting party on the appropriate remediation measures, and recommendations on best practices that can be taken to protect against similar threats. I also work closely with other CSA divisions, government agencies and national CERTs to gather or exchange information, as well as to mitigate reported threats. Some commonly-reported cyber incidents include phishing, business email compromise and ransomware.

In addition, I draft advisories and alerts to highlight security vulnerabilities, and provide guidance on cybersecurity threats and mitigating measures to adopt. These are published on CSA’s SingCERT webpage and broadcasted through our mailing list and social media platforms.

 What makes you excited about coming to work?

I get to experience and learn new things because cybersecurity is constantly evolving. When responding to cyber incidents, everything you analyse is unique. I may need to pick up a new programming language or learn a different analysis technique. When I organised the 14th ASEAN CERT Incident Drill (ACID) last year, I had the opportunity to design scenario injects and create artefacts on prevalent cyber threats. For example, when we had a phishing inject, we created phishing emails for participants to analyse.

Additionally, I am surrounded by friendly colleagues with different specialisations. We learn from one another, and this also makes work much more fulfilling and enjoyable.

What are 3 qualities that are important for someone in your role to have?

The person must be inquisitive, able to communicate in both technical and non-technical terms,  and be able to adapt to the dynamic nature of cybersecurity.

Image by CSA

This article was originally published on CSA’s website.