The Singapore health attack and the dwell time

When visiting Singapore in November 2018, I read an article in the local newspaper of an attack that apparently took place in the first half of 2018. The hack involved 1.5 million compromised (accessed, not modified) patient records of Singaporeans, out of a total of 5.01 Mln, including a famous patient: the prime minister of Singapore.

To give you an idea of the size:
28,000 employees
60,000 endpoints
6,000 servers

From the article:
The intrusions on SingHealth’s electronic medical records (EMR) system began undetected on June 27 before being discovered on July 4 and terminated by Ms Katherine Tan, a database administrator at IHiS.
[Peter Baurichter comments:]  this is not so bad at all.
The typical time between an attacker compromising a secured network and the breach being detected (reported by FireEye as “median dwell time” in its annual M-Trends report) amounted to 172 days in the APAC region during 2016. The global median dwell time, as opposed to the APAC dwell time, from compromise to discovery is up from 99 days in 2016 to 101 days in 2017.

So Kuddo's to the security team of IHS for detecting and responding within 6 days. You have beaten the global statistics big time. 

A timeline of the SingHealth attack and how it was detected.

IHiS staff took six days to discover data had been stolen

The picture on top (so typical always: I just love it. this time with hoody and some kind of sinister anonymous mask)  is borrowed from Daniel Liu.

Median Dwell Times. InfoGraph is from a joint report of FireEye and Marsh &McLennan