Search Rocket site

Intelligence-Driven Threat Hunting is the Best Way to Protect the Mainframe

Cynthia Overby

September 1, 2020

Cyber threats can come from anywhere and can wreak havoc at varying scales. From organized crime, to spyware, malware adware, to disgruntled internal employees seeking revenge on the organization, digital threats can set your business back immensely.

When it comes to defending your company against such threats, the mainframe is frequently forgotten. It’s hard to objectively identify mainframe weaknesses, thus it’s hard to define and operationalize against risks. Most organizations do not proactively scan or assess the dynamic risks to the mainframe that could directly impact their business down the road. There are several code-based OS vulnerabilities posing imminent risk to your mainframe, including:

  • Trap Door: The most severe vulnerability to z/OS integrity, allows the non-authorized user to directly make changes to the active environment.
  • Storage Alteration: Allows a non-authorized user to alter memory, potentially allowing control and corruption of data, or causing an outage.
  • System Instability: Authorized program is invoked in a manner different than designed, can cause service issues including system crash.
  • Storage Reference: Non-authorized user can fetch protected storage, can cause service issues including system crash.
  • Identity Spoofing: Hacker can masquerade as someone else by creating alternate security credentials.
  • Security Probing: Hacker can determine security implementation by deconstructing security parameters.
  • Least Privilege: Hacker can escalate and abuse authority by assigning privilege.

For the past two decades, mainframe security was largely about preventing and detecting threats by blocking hackers from networks and pen testing for known vulnerabilities and previous breaches. After building on vulnerability awareness, IT teams need to switch from yearly compliance checks to daily scanning.

Enter, autonomous threat hunting. A more active defense strategy for security analysts, threat hunting is an iterative process, based on a hypothesis, to detect threats that have already evaded your system but remain hidden. When it comes to the mainframe, z/OS Integrity-Based Threat Hunting operates on the principles defined by IBM’s Statement of Integrity.

How do you Threat Hunt on the Mainframe?

To start, threat hunters need to be aware of the specific Tactics, Techniques and Procedures (TTP) that can be used to gain access to data or gain control of a system, as well as understand the types of vulnerabilities these TTPs exploit and search for them. With this in mind, threat-hunters can take three different approaches to determine their hypothesis: an analytics, situational awareness or intelligence-driven approach.

With an analytics-based hypothesis, the threat hunter reviews user and entity analytics (UEBA) – such as privileged user monitoring, or insider threat monitoring – to first document normal user behavior. Later, they can detect instances that stray from the normal patterns.

A situational awareness driven approach relies on a consistent understanding of the mainframe state. This results in timely, relevant and accurate assessment of potential threats and actions in response.  The threat hunter can follow the Observe, Orient, Decide, Act loop to maintain awareness and respond appropriately.

While these methodologies are effective, an intelligence-driven, hypothesis-based hunting cycle wins in our book. Threat hunters seek out actionable insight on adversaries and their malicious activities, enabling organizations to make highly informed security decisions. To best inform their security strategy with intelligence-driven threat hunting, IT teams should remember these steps:

  • Know your adversary’s mindset
  • Research your attack surface, leveraging previous vulnerability reports
  • Investigate vector points that could be exploited
  • Detect anomalous or malicious activity and analyze the risk
  • Inform your team leaders and take action.

As long as humans are writing code, the mainframe will always have vulnerabilities. Organizations can keep hackers out and level-up their mainframe security by taking advantage of intelligence-driven threat hunting and increasingly automated tools that push the cycle along.

We want to help your business protect its mainframe against dangerous hackers. Learn more about mainframe security solutions, here.