Early Warning
What Makes Early Warning Unique
Early Warning is the behavior-focused module of CSF. It catches attackers during reconnaissance and exploit attempts—before they achieve their objectives.
Early Warning answers the question: "Is someone probing my system or trying to escalate privileges?"
Early Warning Capabilities
- Detect z/OS Authority / Security Tampering — Monitors for changes to security settings, exits, and audit configurations
- Prevent UserID Impersonation — Detects and can block attempts to assume another user's identity
- Stop Rogue Encryption in Seconds — Identifies ransomware encryption patterns and suspends immediately
- Alert on Suspicious User Behavior — Tracks unusual access patterns, privilege escalation, and reconnaissance
Why Early Warning Matters
Most attacks follow a predictable pattern:
- Reconnaissance — Attacker maps environment, tests permissions, looks for vulnerabilities
- Exploit — Attacker leverages a gap to escalate privileges or gain unauthorized access
- Attack — Attacker executes their objective (ransomware, data theft, sabotage)
Early Warning detects phases 1 and 2, enabling you to stop attackers before phase 3.
Attacks Are Easier Than You Think
From real-world penetration testing:
- Privilege escalation (becoming RACF SPECIAL) requires only 6 assembler instructions
- User impersonation (acting as another user) requires only 7 instructions
- AI assistance: ChatGPT generated working mainframe hardware encryption assembler code
- Tools freely available: Pen testing tools on GitHub can be used by attackers
You don't need 40 years of mainframe experience to attack a mainframe. Early Warning levels the playing field.
Three Layers of Detection
Layer 1: Reconnaissance Detection
Monitors user activities and generates alerts when thresholds are exceeded:
- Excessive read accesses to APF libraries, PARMLIB, PROCLIB, VTAMLST, TCPPARMS
- RACF commands indicating environmental mapping (SETROPTS LIST, LU *, SEARCH)
- Similar coverage for Top Secret and ACF2
When thresholds are exceeded:
- Immediate alert that thresholds were passed
- Summary report detailing all reconnaissance activity
Layer 2: Exploit Detection
Monitors for activities indicating attack preparation:
- Authorization escalation — non-authorized program becomes authorized
- Privilege escalation — user gains RACF SPECIAL or equivalent
- User impersonation — assuming another user's identity
- Dynamic exit alteration — installing exits to suppress activity tracking
- Security audit modification — altering audit settings to cover tracks
- Privileged command usage — SET PROG APF ADD, SET commands
Layer 3: Attack Detection
Monitors suspicious activities from batch or TSO programs:
- Excessive file scanning, updating, or deleting
- Hardware encryption while updating excessive files (ransomware signature)
- High CPU usage combined with high I/O
- Mass deletion or corruption patterns
Countermeasures: Stop Attacks, Don't Just Alert
Early Warning can automatically block certain attack techniques:
| Attack Type | Countermeasure Result |
|---|---|
| Authorization escalation | System 47 abend — privileged operation blocked |
| Privilege escalation | Countered — user remains unprivileged |
| User impersonation | Countered — impersonation attempt fails |
When countermeasures are enabled, attackers receive cryptic system errors while Early Warning alerts your team.
The IBMUSER Attack Vector
Every z/OS system has IBMUSER—a high-powered default account. Most sites disable it, but it often remains available in a revoked state. Attackers who gain RACF SPECIAL can:
- Resume the IBMUSER account
- Set their own password
- Log on with superuser capabilities
Early Warning detects successful IBMUSER logons—which should never occur in production.
Extended Tracking
Early Warning monitors activities beyond normal z/OS capabilities. Attackers plan reconnaissance to avoid activities the system normally records—Early Warning catches them doing things they wouldn't expect to be tracked.
Coverage: 42 Unique Monitoring Items
Early Warning monitors up to 42 unique items for RACF implementations, with similar coverage for ACF2 and Top Secret.
Access pattern monitoring includes:
- Protected datasets and operator commands
- BPX resources and FACILITY class
- JES Spool resources and SDSF functions
- ICSF functions and certificate resources
Early Warning vs. Other CSF Products
| If you need to... | Use... |
|---|---|
| Catch attackers in recon/exploit phase | Early Warning |
| Detect file changes and ransomware | FIM+ |
| Stop data leaving your mainframe | Data Exfiltration Defense |
| Verify vendor software before install | Supply Chain |
CRM Product Quote Description
Monitors up to 42 unique security items across three detection categories: Reconnaissance Detection (excessive library reads, access checking, privileged command usage), Exploit Detection (authorization escalation, privilege escalation, user impersonation with immediate actions), and Attack Detection (excessive file scanning, updating, deleting, encryption activity). Supports RACF, ACF2, and Top Secret.
Early Warning runs on CSF Foundation, which provides Real-time Reaction, Human Interface, Whitelisting, and Restore Assist capabilities.