#WorkinginCSA: Leading CSA’s Digital Forensics and Incident Response Team

Published on 19 Jul 2021

We spoke with Sebestian Xu, a Senior Assistant Director with CSA’s National Cyber Incident Response Centre (NCIRC), on his work leading the Digital Forensics and Incident Response team. His team supports cyber incident investigations, ensuring that each incident is properly contained, investigated and remediated. Sebestian also shares with us his experience volunteering with the swab operations team at the migrant workers’ dormitories during the COVID-19 pandemic.

1. You used to be an air traffic controller with the Republic of Singapore Air Force (RSAF). So, what sparked your interest to move into cybersecurity?

I studied Computer Engineering in university and later worked in the RSAF, where I contributed to the defence of Singapore. When you put the two together, cyber defence/cybersecurity was the natural conclusion! I was also exposed to cybersecurity in my last posting in the RSAF, where I helped set up a new branch in the Ministry of Defence aimed at formulating cybersecurity policies and reviewing governance issues for RSAF systems. That further piqued my interest in cybersecurity, and I even wrote an essay on the applicability of international law to cyber operations – which was awarded the first prize in the Chief of Defence Force essay competition back in 2016. When the opportunity arose to join CSA, I took it!

2. What is a typical day like working in the Digital Forensics and Incident Response (DFIR) team?

I lead a team of officers to support case investigations. When we are called to action, we liaise with stakeholders – these are often the Sector Leads of the various Critical Information Infrastructure (CII) sectors, or victim organisations themselves – to ensure that cyber incidents are properly contained and investigated, and that remediation measures are performed. This may involve going on-site to retrieve evidence for forensic investigation in our lab. We perform host or endpoint forensics as well as network forensics, and if we find any malware, we pass it on to our in-house malware analysis team, who then perform reverse engineering to figure out what the malware does.

Through these efforts, we aim to understand how the attackers got in, what actions they performed, how they moved laterally in the network, and whether there was data exfiltration. This helps us to identify the tactics, techniques and procedures (TTPs) used by the attackers, as well as uncover indicators of compromise (IOCs), which can then be shared with our stakeholders and partners. We also make recommendations on the remediation and preventive measures to be taken.

When we are not dealing with cases, we work on projects, sometimes with partner agencies, to hone our skills and develop new competencies to keep up with the latest developments in the field.

3. How do you keep abreast of cybersecurity trends and ensure your skills are relevant and updated?

There is a lot of reading and self-study involved. Having a passion for cybersecurity helps, as it motivates me to read up on developments which could range from big-picture issues, like the evolving threat landscape, to technical details such as how newly discovered vulnerabilities can be exploited. I also spend some of my free time sharpening my technical skills by getting hands-on practice through online platforms like TryHackMe or Capture-the-Flag web portals.

Being part of cybersecurity communities is also helpful, as people are often happy to share interesting articles or answer each other’s questions. Examples include the Global Information Assurance Certification (GIAC) Advisory Board, or simply being part of chat groups in CSA and following active individuals or pages on social media!

4. What advice do you have for those looking to work in cybersecurity?

Believe in life-long learning! The field of cybersecurity is a fast-paced one. Attackers are always looking for new ways to get in, while defenders are always trying to keep them out. As a cybersecurity professional, one must strive to keep abreast of the latest developments and continue picking up new skills. You will never know everything there is to know, but it is more important to have the maturity of thought to accept that, and not be afraid to consult others. Of course, one must also be self-motivated and invest time and effort into continuously expanding one’s knowledge in the field.

5. Tell us about your experience as a volunteer with the swab operations team at the dormitories during the COVID-19 pandemic?

I joined the swab operations teams during Singapore’s “circuit breaker” period, when we were at the height of the pandemic here. This was when COVID-19 infections had started to reach high levels in the migrant workers’ dormitories. There was a lot of uncertainty in the beginning, largely because the extent of the infection in the dormitories, the protocols to be adhered to, the duration and scope of the swabbing operations, etc, were all unknown to everyone involved. The swab teams were provided with training on the safety protocols, such as how to put on the Personal Protective Equipment (PPE), as well as guidelines on the do’s and don’ts. However, there was a lot of uncertainty once we were deployed on the ground, and we had to react quickly to the changing situations and requirements.

The situation was dynamic, and we would only know of the locations to conduct the swabbing operations the night before. We then had to coordinate quickly with the Ministry of Manpower’s representatives, dorm managers and medical teams over WhatsApp. When we went on-site the following day, we had to quickly assess the area and determine how to set up the stations and manage the human traffic for the operations, while adhering to safe distancing requirements. The swab operations had to be conducted safely and efficiently, so that we could move on to the subsequent site(s) for the day. We knew that we had to do our best to complete the required number of swabs for the day, so as to keep to the national-level schedule for the testing of the migrant workers living in the dormitories.

It was heart-warming to see how the volunteers actively looked out for one another during the operations, such as ensuring that everyone put on their PPE properly, encouraging one another, and keeping an eye out to make sure that no one suffered from heat stroke and dehydration. Despite the fluidity of the ground situation, everyone worked together to deal with challenges and pulled together to ensure that the operations could still be completed safely. It was heartening when volunteers tried to allay the concerns of the workers when they expressed fear and uncertainty about the swabbing or the spread of the disease, and also very encouraging when the workers expressed their gratitude and appreciation to us.

The experience was fruitful and memorable, and I am definitely glad to have been able to contribute in this small way to the fight against COVID-19.