Proof Point for the Importance of Continuous Monitoring

Recent events in Malaysia have shown once again that continuous monitoring should be a key component in any cybersecurity program.

Malaysia’s myIMMs immigration system was recently discovered to have been under remote control by foreign syndicates for a number of years

The audacious case is centered on Malaysia’s myIMMs immigration system, which was recently discovered to have been under remote control by foreign syndicates for a number of years. These syndicates have manipulated the myIMMs system assisted by immigration department IT staff, immigration officers and even software vendors, who were paid to do so by the syndicates. More than 100 people — including immigration officers — were involved, and at least 15 have been arrested.

Malaysian Immigration Director-General Sakib Kusmi said “They deal online. The instructions come from overseas ... they can manipulate our system from outside. You can see this in our computers — the cursor moves without someone operating it…" He further stated that the syndicate was able to control the movement of anybody entering or leaving Malaysia. Clearly there are serious national security implications for Malaysia.

The systems were being actively controlled by malicious syndicates

Aside from the obvious failings of the department from a governance perspective, there are two things about this attack that stand out. The first is the fact that the state and configuration of the various components of the myIMMs system would have needed to be altered in some way to inject the necessary malware to facilitate remote control. The second is the fact that the systems were being actively controlled — remotely over the internet — by the malicious syndicates.

Tenable applies three different technologies to facilitate the detection of nefarious activities such as this – scanning, sniffing, and event analysis. These technologies can provide several vectors that enable the early detection of subterfuges such as the one in Malaysia. Manipulation of the endpoints — for example, the creation of backdoor accounts to facilitate outsider access — can be detected through event analysis. Injected malware can be identified by Nessus® with its ability to detect malicious processes in an endpoint. Our Passive Vulnerability Scanner™ detects the remote control traffic from syndicates such as those active in Malaysia to the various network systems and assets. All the data collected from these three functions can be amalgamated, analyzed and displayed on the SecurityCenter™ console, facilitating the central monitoring function that is so important to rapid threat identification.

Clearly, this case again proves the value of continuous monitoring. In fact, since this activity was facilitated by insiders, the perimeter defenses likely were blind to the attack, so a strategy focused on endpoints and events may be the only plausible detection strategy in this type of scenario.