Skip to main content

Enable Rapid Ransomware Recovery With IM Software

Many people work on the principle that their mainframe is safe from catastrophic attacks because it is different from Linux and Windows platforms. Hackers don’t understand how it works—what they used to call security by obscurity. Unfortunately, mainframes are generally high-value targets with plenty of critical data residing on them. That makes them an enticing target for hackers to learn to penetrate.

Other people think of the mainframe as an island of computing that is somehow not connected to other computing platforms, making it very hard to penetrate. Again, that is not the case. Mainframes are connected to the web, the cloud and mobiles devices, making them an integrated part of many computing networks.

The Problem

And many people don’t recognize what a big problem mainframe data breaches can be for an organization. Bad actors take their time to look around a mainframe before they get to the stage of triple extortion. IBM’s annual Cost of a Data Breach Report, which features research by the Ponemon Institute, found that the average time to identify and contain a data breach is 277 days—207 days to identify the breach and 70 days to contain the breach. The report also found that the average cost of a data breach is $4.35 million.

And that doesn’t mean that a data breach on a mainframe is as likely to happen as a big lottery win; it means it is an imminent threat for every organization.

The Consequences

Hackers know that on a mainframe, ransomware and other malware can’t be adequately detected and recovery can take many days.

If a big bank is off the air for an hour, millions of transactions back up. If it is down for a day, the entire financial system grinds to a halt, as we found out in the financial crash of 2008. What if it is a hospital, or pension payments, or the credit system that gets targeted?

The Phases of an Attack

In “The 6 Phases of an Advanced Ransomware Threat,” Eric Vanderburg identified the stages of a ransomware attack. Stage one is reconnaissance, where the hackers find out about an organization. You can assume many different groups of would-be hackers are doing this right now.

Stage two is penetration. IBM’s 2022 Cost of a Data Breach Report found that the biggest problems were phishing attacks, stolen credentials, cloud misconfiguration and compromised business partners. And that doesn’t include problems associated with disgruntled staff or ex-staff.

The third stage is fortification. Once the bad actors have penetrated your mainframe, they are at risk of being discovered. So, they leave backdoors around to make it very easy for them to penetrate next time. They may even leave time bombs, pieces of code that need to receive a signal from the hackers at regular intervals or else they go off, potentially damaging your data. Hackers may make changes to system software, applications and parameters—your infrastructure files.

During this stage, hackers raise their security level to that of a systems programmer, giving them the authority to make any changes to the system they want. This may be done by dynamically adding a new APF library (created by the hackers) using an operator command. Then, they can work in authorized mode. Their programs can put themselves in supervisor state or any system key to modify control blocks or execute privileged commands and more.

The fourth stage is infiltration, where they can take copies of your data and backups.

Stage five is called spoliation. During this stage, your data (including backups) can be encrypted or corrupted.

Stage six, the final stage, is the ransom demand, which can appear on everyone’s screen and be repeatedly printed. With a triple extortion attack, hackers not only encrypt the data at their victim’s organization and demand a ransom to decrypt it, but also exfiltrate the data and threaten to publish it. And ransom demands are now being sent to the hacked organization’s suppliers or customers. The hackers can also threaten distributed denial-of-service (DDoS) attacks, or they might threaten to leak information about the attack and the personal data they have obtained.

The Solution: IM Software

SMF isn’t always enough to record what has happened, identify that an attack is taking place, or help the recovery team identify how to surgically restore the most up-to-date data. Something else is needed: integrity monitoring (IM) software.

IM software can help when RACF (or similar software) has been bypassed (i.e., in stages three, four and five of an attack). Scanning software runs and information about files on the mainframe (including loadlibs, proclibs and config files) and hash key (checksum) records are created. These hash keys are stored in a secure encrypted vault. Further scans can be run at regular intervals and the new hash keys can be compared to those in the secure vault. If they are the same, then an “OK” record is written to the log. Modern IM software can auto-discover APF libraries, proclibs, etc.

This secure vault acts as a whitelist—a list of programs that are authorized to be run on the mainframe—and the IM software will notify appropriate staff if any of these programs change and if any other programs get added or any programs are deleted (i.e., if any malware is put on a system). Messages will also go to the IM software log and to a SIEM (security incident and event management).

In addition, the whitelist contains a hash key for other files, which means the IM software can monitor the z/OS system, IMS, CICS, Db2, TCP/IP, application executables, JCL, configs, USS files, scripts, CLists, log files and encrypted data sets. If something is amiss, alerts can be sent via text or email to an admin or central console.
The frequency of these scans can be determined by the IM software users.

Backups and Alerts

In addition to identifying and alerting when infrastructure or other files have been modified, deleted or added, modern IM software can check the integrity of backups using hashing techniques to create a baseline. The backups can be checked at regular intervals to identify whether any changes have been made. Obviously, backups should never change, so if they do, it’s a clear sign that an attack is in progress.

However, on any mainframe, changes are being made all the time. Consequently, hundreds of alerts would be made, and no one would take any notice. Luckily, modern IM software can suppress alarms from approved changes and interoperate with change management systems such as BMC Helix or ServiceNow. It can also ensure that code levels in all LPARs are the same and detect wrong versions, missed changes and backout errors. It uses before and after snapshots to prove that everything was deployed correctly.

It’s important that the response team can easily use the alert software. They need to be able to tell how long ago everything was OK for the file that was changed—this depends on the scanning interval. Knowing an exact moment in time when a file was last uncorrupted means only a limited number of SMF records need to be checked to identify the person making the change, where they are logged in from and exactly when the change was made. The IM software will know what has changed. That information can be checked against change management software to see whether it was approved. If it was, everyone can relax.

Anyone who has ever been part of a response team knows that identifying an attack in progress is only half the story. If the hackers are using stolen credentials or if a disgruntled staff member if part of the attack, they need to be locked out of the system before they can do any more damage. Again, modern IM software can do that. It can also quarantine a suspicious file automatically.

The Recovery Process

Now the hardest part of the recovery begins: deciding which backups are untouched and contain good, recent copies of any files that have been modified by the bad actors. This can be very time-consuming activity, but modern IM software maintains a log of changes and can identify files that have been corrupted and need replacing, as well as the most recent backups that can be used to restore from. Once everything is back, a final verification scan can prove everything came back correctly.

207 days is a long time to have some bad actors poking around in your mainframe. The software most sites currently use isn’t enough to protect their mainframes or make recovery easy. And with ransomware attacks on the rise on every platform, it makes sense to investigate how IM software would protect your organization. No one wants to be the victim of ransomware. If you’re looking for modern mainframe-based integrity monitoring software, then MainTegrity’s FIM+ is a good place to start.