Sunday, 1 October 2023

Is my mainframe under attack at the moment?

Cardinal Richelieu became a cardinal in 1622 and chief minister to King Louis XIII of France in 1624. And, as we know from Alexandre Dumas' book, The Three Musketeers, used a network of spies to ensure that he knew exactly what was going on in France and its neighbouring countries. Many mainframe sites could take a leaf out of Richelieu’s book (but, perhaps not too many!) to ensure that they know exactly what is going on inside their mainframe.

There are a number of people telling us that just because we haven’t spotted an attack on our mainframe yet, that doesn’t mean there hasn’t been one. And the reason they give for their message is simply that mainframes don’t have an early warning system to alert the security team that the early stages of an attack are taking place. All too often, it is only the arrival of a ransom demand that alerts anyone that a breach has taken place.

The latest Cost of a Data Breach Report from IBM Security found that the length of time it takes to identify a breach is, on average, 204 days, and the length of time to recover is, on average, a further 73 days. For the IT team, that must be a big concern. For the CFO, the big worry must be that the average cost of a breach is US$4.45 million.

Another cause for concern is that the report found that only 1 in 3 sites that experienced a breach had the breach identified by their own security teams or tools. The remaining 67% of breaches were reported by a benign third party or by the attackers themselves!

The big question that mainframe sites should be asking themselves is whether there is any way they could get some kind of early warning that the bad actors are already inside their mainframe. Well, is there?

The good news is that there is.

In a recent upgrade, MainTegrity’s FIM+ product not only provides an early warning of tampering at the various stages of an attack, but it can now stop the encryption stage as soon as it starts.

Just picking up on that point first, typically, mainframers realize that they are under attack when normal work on the mainframe stops. And it stops because the attackers have encrypted pretty much all the files. The ransom demand arrives shortly after, and they offer the key to unencrypt your files for a large quantity of bitcoins.

Obviously, encryption is going on all the time, you don’t want alerts being sent all the time because people would simply ignore them. FIM+ uses a whitelist for all the encryption activities it can ignore. It also doesn’t send a message to a human because we know how many files could be encrypted in the time it takes to read a message, put down your coffee cup and actually press a button. The software will suspend the job or TSO user immediately. That way, checks can be made at human speed in the certain knowledge that no more hostile encryption is taking place. If it really is OK to encrypt those files by that job or person, then everything can carry on from the point it was suspended. Otherwise, the job can be cancelled, and steps taken to recover the very few files affected.

That is a fantastic piece of software for saving your bacon at the last minute. It’s like those old cowboy movies where the 7th cavalry appears over the hills. But wouldn’t it be even better if you could be alerted to the fact that bad actors where inside your mainframe doing their nefarious worse earlier on?

Again, FIM+ can help. In the early stages of an attack, hackers are looking around your files to see what you’ve got and where the ‘good’ stuff is stored. FIM+ can identify unusual activity on configuration datasets (PARMLIBs, PROCLIBs, VTAMLST, TCPPARMS, etc) during this reconnaissance phase, and alert staff.

The software can also identify unusual number of read operations. If the number exceeds a customer-determined threshold, the early warning system can raise an alert.

Hackers may decide to bulk delete your files as a way of crippling your operations. Again, FIM+ can send alerts, or, if the number exceeds a predetermined threshold, it can suspend the job or TSO user.

Similarly, rather than delete a file, hackers may overwrite them with zeros, which can be difficult to detect. Again, if more than a preset number of files are being updated, FIM+ can send alerts or the job can be suspended.

Put these together, and you now have an early warning system installed on your mainframe to let you know that your mainframe is under attack. No need to wait 204 days before you become aware of what’s going on. Hacking gangs are no longer disgruntled teens waiting to say, “I’m in”, like they do in all the movies and TV shows. Now there is a mixture of criminal gangs, nation-states, and unhappy employees and ex-employees out there.

They don’t even need to know very much about hacking, they can buy so much as-a-Service (aaS). There’s Ransomware-as-a-Service (RaaS), Crypter-as-a-Service (CaaS), and Malware-as-a-Service (MaaS). You can buy access to a network using initial access brokers (IABs). There’s a whole industry out there making hacking your mainframe as easy as it can possibly be.

Doesn’t it make sense to have an early warning system in place already so you really know what’s going on?

 

No comments: