What is Early Warning?
Early Warning is the behavior-focused module of CSF. It catches attackers during reconnaissance and exploit attempts—before they achieve their objectives. It answers the question: "Is someone probing my system or trying to escalate privileges?"
Catch attackers in the act. Behavior detection at machine speed.
Why Early Warning Matters
Most attacks follow a predictable pattern:
Phase 1
Reconnaissance
Attacker maps environment, tests permissions, looks for vulnerabilities
Phase 2
Exploit
— Attacker leverages a gap to escalate privileges or gain unauthorized access
Phase 3
Attack
Attacker executes their objective (ransomware, data theft, sabotage)
Early Warning detects phases 1 and 2, enabling you to stop attackers before phase 3.
For certain exploit types — APF authorization escalation, RACF/ACF2/Top Secret privilege escalation, and privileged command execution — Early Warning detects the attempt before any damage is done.
What Makes Early Warning Unique
Early Warning Capabilities
- Detect z/OS Authority / Security Tampering — Monitors for changes to security settings, exits, and audit configurations
- Prevent UserID Impersonation — Detects and can block attempts to assume another user's identity
- Stop Rogue Encryption in Seconds — Identifies ransomware encryption patterns and suspends immediately
- Alert on Suspicious User Behavior — Tracks unusual access patterns, privilege escalation, and reconnaissance
Dynamic Authority Change Detection
60-Second Response Window
Early Warning checks for threshold violations every 60 seconds by default (configurable). While there is a brief lag between when a malicious program starts and when the offending task is stopped, this is dramatically faster than conventional approaches.
Result: Damage is limited to a few seconds, rather than the hours or days it may take to recognize and halt an attack with existing tools.
Covers 42 Unique Monitoring Items
Access pattern monitoring includes:
- Protected datasets and operator commands
- BPX resources and FACILITY class
- JES Spool resources and SDSF functions
- ICSF functions and certificate resources
Continuous Dataset Monitoring
Early Warning monitors active data files and libraries for unusual actions — even if they are not included in regular validation scans. Accesses are collected for an interval, and if they exceed customer-defined historical trends, an alert or other action can be triggered.
Extended Tracking
Early Warning monitors activities beyond normal z/OS capabilities. Attackers plan reconnaissance to avoid activities the system normally records — Early Warning catches them doing things they wouldn't expect to be tracked.
Countermeasures: Stop Attacks, Don't Just Alert
Early Warning can automatically block certain attack techniques:
| Attack Type | Available Actions | Countermeasure Result |
|---|---|---|
| Program authorization escalation | Suspend, Cancel, Counter | System 47 abend — privileged operation blocked |
| Privilege escalation | Suspend, Cancel, Counter | Countered — user remains unprivileged |
| User impersonation | Suspend, Cancel, Counter | Countered — impersonation attempt fails |
| Privileged command usage | Suspend, Cancel | Task suspended or cancelled |
| APF library update | Counter | Update blocked |
| Configuration / STC library update | Counter | Update blocked |
| Attack patterns (Layer 3) | Suspend, Cancel | Offending task stopped |
When countermeasures are enabled, attackers receive cryptic system errors while Early Warning alerts your team.
Three Layers of Detection
Layer 1
Reconnaissance Detection
Monitors aggregate counts of suspicious activities over a configurable polling interval. Alerts when customer-defined thresholds are exceeded.
Excessive Read Accesses To:
- Authorized (APF) libraries
- PARMLIBs, PROCLIBs
- VTAMLST, TCPPARMS
- Datasets used in started tasks
User Access Checking Of:
- Protected datasets and operator commands
- BPX resources and FACILITY class resources
- XFACILIT class resources
- JES Spool and SDSF functions
- ICSF functions and certificate resources
- Program resources and TapeVol resources
Special RACF Commands:
- SETROPTS LIST
- LU * (List User wildcard)
- SEARCH, LISTDSD, RLIST
Special Top Secret Commands:
- TSS MODIFY, TSS LIST(ACIDS), TSS WHOHAS
Excessive Display Commands:
- MVS, JES, VTAM, and other display commands
When thresholds are exceeded:
- Immediate alert that thresholds were passed
- Summary report detailing all reconnaissance activity
Layer 2
Exploit Detection
Certain exploit attempts are intercepted before the action completes. Immediate actions vary by item type.
Suspend + Cancel + Counter:
- Program authorization escalation (non-authorized program becomes authorized)
- User privilege escalation (user gains RACF SPECIAL or equivalent)
- User impersonation (assuming another user's identity)
Suspend + Cancel:
- Privileged operator command usage (SETPROG, SET, VARY, and client-definable commands)
Counter only:
- Update to authorized (APF) library
- Update to configuration / STC library
Detection and reporting only:
- Change to security audit options
- Changes to TSO authorized command tables
- Changes to TSO authorized program tables
- Dynamic changes to APF list
- Dynamic changes to system exits
- Attempted logons to IBMUSER or ACFUSER
- Excessive failed logons in a period
Layer 3
Attack Detection
Monitors for attack signatures during the polling interval. Triggers alerts and optional immediate actions (Suspend / Cancel) when customer-defined thresholds are exceeded.
- Scanning excessive files/datasets
- Updating excessive files/datasets
- Deleting excessive files/datasets
- Hardware encryption while updating excessive files (ransomware signature)
- Excessive hardware encryption instructions
- High CPU usage combined with high I/O
Technical Q&A: Use Cases
Use Case 1: Insider Privilege Escalation
Scenario: A system programmer attempts to grant themselves RACF SPECIAL authority.
Early Warning Detection:
- Layer 2 (Exploit Detection) triggers on the privilege escalation attempt
- Countermeasure blocks the escalation — user remains unprivileged
- Attacker receives a cryptic System 47 abend
Response:
- Alert sent to security team with user details
- Forensics browser shows exact command attempted
- User ID revoked pending investigation
Result: Escalation blocked entirely; no privileges gained.
Use Case 2: Reconnaissance Detection
Scenario: A compromised account begins mapping the z/OS environment.
Early Warning Detection:
- Layer 1 (Reconnaissance) detects excessive RACF SEARCH commands
- Read accesses to APF libraries exceed threshold
- SETROPTS LIST commands indicate environmental mapping
Response:
- Immediate alert when thresholds exceeded
- Summary report details all reconnaissance activity
- Account suspended before exploit phase begins
Result: Attacker detected during preparation; attack prevented.
Use Case 3: Ransomware Encryption Pattern
Scenario: Ransomware begins encrypting datasets using hardware encryption.
Early Warning Detection:
- Layer 3 (Attack Detection) identifies encryption combined with excessive file updates
- Hardware encryption activity flagged as ransomware signature
- Threshold exceeded within 60 seconds
Response:
- Offending task suspended automatically
- Alert sent with affected datasets list
- FIM+ Restore Assist guides recovery
Result: Encryption stopped after ~60 seconds of damage; rapid recovery.