Use of the Avatar and CIT tools for Centralized Distribution and Control

By Peter V. Radatti President/CEO CyberSoft Operating Corporation
radatti@cyber.com +1 610/825-4748
December 2003

The VFind Security Tool Kit Professional (VSTKP) is a fully featured security and administration set of tools. It is not just an antivirus scanner. This paper assumes that you are already familiar with the primary function of the Avatar and CIT tools that are part of the VFind Security Tool Kit Professional. For those of you who are not, Avatar is an automated tool that runs without end user operation. The primary function is to automatically “repair” a damaged system. Damaged is defined by the System Administrator or System Architect when they create the Avatar database. Avatar was designed for battlefield operation; therefore it assumes a hostile environment that may in fact be unmanned. The CIT tool compliments the Avatar tool. CIT is generally used as a “big brother” type of program to allow the System Administrator or Security Officer to understand what is happening in a system. It does this by cryptographically digesting the entire contents of a system then providing several reports, one of which highlights what files were added, deleted, modified or duplicated within the system. It will also inform you of any dangerous or prohibited files in the system. This in turn can be used to understand what an end user is doing, intrusion detection, detection of stealth trojanization of a system and provides critical information to the System Administrator which can cut down on system diagnostic time by a significant factor. In one case, a System Administrator in a government organization was able to determine that their server was hacked, what the hacker modified and added to the system, and restore full operation within a couple of hours. Normally, an operation of this type would require a full system rebuild which could take three to six days. For more information on the standard operation of these tools, review the technical white paper, “Secrets of the VFind Security Tool Kit Professional Plus” located on the web site www.cybersoft.com.

Using Avatar for centralized distribution and control of a heterogeneous distributed global network is within the design parameters and functionality of the program. In other words, this is a fully supported function.

The Avatar system is rule based. The rules are defined and then compiled into an Avatar database along with any files or information required to fulfill the rules. Once a database is created it can be used read only. It can be distributed on CD-ROM, DVD or on a read only exported file system. The ability to provide an Avatar database on a gold foil DVD which is impervious to radiation damage means that a lights out operations could potentially repair any damage to critical components of the file system in the event of random “bit flipping”. In addition, Avatar is able to utilize multiple databases, including rollover databases. This feature is what allows centralized distribution of updates, upgrades, security patches, changes to the standardized baseline configuration and forced adherence to the baseline. The database(s) that Avatar uses does not have to reside on the system it is operating upon. A database can be located in a centralized network or command operations center and provided over a read only virtual private network using standard approved encryption. Avatar is insensitive to the manner in which the database is provided as long as it can open and read the file. It is also insensitive to the location of the file system it is operating upon as long as it has full read/write permission.

One example of a potential centralized distribution method which includes built in safe guards is to configure Avatar for automated background operation in which both a local Avatar database and a network based Avatar database are specified for processing. The local database can contain critical file system rules which must be maintained in the event of a network failure or breach. The network based database can be centralized, or even localized, from a central distribution point. This network database can then be utilized for rapid deployment of system updates, etc. For example, if during operations a new attack is attempted and a security patch is required to fend off the attack and Avatar systems in the field are configured to check the network database every 12 hours, then the security patch can be distributed and installed globally within that 12 hour period. Assuming that the bandwidth is available, that time period can be shortened to any practical time period. This would allow for rapid baseline management and distribution for an evolving semi-real time need.

In this specific example there are several advantages:

1. Training for Avatar’s security and distribution needs are the same. Anyone trained in Avatar can fulfill both functions.
2. Fully trained senior people are a valuable scarcity. The ability to bring the full power of senior people to bear globally, in a timely manner from a centralized and safe location, expands the ability to react correctly in near real time.
3. Centralized distribution using Avatar is an example of working smarter, not harder. An army of field technicians is not required to install distributions, since they can be installed automatically. This is a significant cost savings in man power and training.
4. Avatar’s database system is flexible and multiple databases can be defined for execution. This means that database creation can be broken up and distributed within bodies of authority. In a complex multi-vendor environment you could potentially breakup these databases by vendor or any other functionality with either centralized approval and distribution or multi-centralized distribution.
5. Roll over functionality means that if a specific network operations center is not functional a secondary distribution point can be specified. This secondary point can also define roll over distribution points.]

The second tool under discussion for this paper is the Cryptographic Integrity Tool, CIT. In addition to the human readable report, CIT produces a machine readable report which can be utilized by a threat assessment program like the VFind pattern analysis system to look for attack code (a.k.a. computer viruses). This specific machine-readable report is a list of files on the protected file system, which have been added or modified since the last time CIT was run. These are prime candidates for analysis. In addition, since CIT does not rely upon the system date and time function and it uses cryptographic strength digests, you will know within a specified time window when a file system event took place. That time window is the period of time between any CIT database creation and the following CIT execution. This information is very valuable for a Security Analyst.

It should be noted that while Avatar only pays attention to the files and directory trees it is directed to protect, the CIT tool can evaluate the entire system. This makes the CIT tool complementary and valuable when ascertaining the condition of a system.

The CIT tool database format is open, and can be viewed by a standard text editor. This means that a collection of databases can be created and used as a diagnostic tool against any system. Such databases can reveal information, such as what revision a system conforms to. It can reveal which operational files were modified, and what the system has been doing. If these databases are downloaded to a central point, it can be used for almost instant detection of a previously unknown attack against the systems in a network. In addition, a centralized collection of operational CIT databases would allow for easy determination of baseline compliance, thereby closing a command and control loop. Digestion of these databases at the central location can produce almost any kind of report necessary for the maintenance of the systems.

While the Avatar and CIT systems can use remotely mounted file systems for their databases and execution, this only allows for near real time operation in that execution is scheduled. While this is a good thing because it allows for an orderly progression and an event window can be kept secret, or even random, there is still a need for real time deployment in which the event of a serious attack. Avatar, CIT and all of the other tools in the VSTK can be deployed in real time for centralized distribution using the Miniweb tool. In fact, Miniweb can be used to control products developed by companies other than CyberSoft. The Miniweb program is being released as part of the standard maintenance and upgrade program in VSTKP Version 165 (January/February 2004), and will be a no cost item for these customers. Miniweb is a miniature, high security, stripped down web server. It has a very small memory foot print, requires minimal configuration and can coexist with all other web servers. Miniweb can be bound to the system it is operating upon so that only a local operator can access it, or it can be bound to a specific list of systems or even opened. This list can include the centralized operations office. Miniweb is intended as a graphical user interface for the VSTKP tool kit. It uses standard HTML 1.1 code and has the ability to execute both script and Perl CGI applications. VSTKP 165 has a full graphical user interface with portable Bourne shell scripts for the CGI applications. Perl installation is not required. Using Miniweb a centralized distribution point can force the execution of Avatar and/or CIT using a simple script thereby providing real time functionality.

These three tools that are included as part of the VSTKP Version 165 product provide most of the functionality needed for centralized distribution in addition to their security role. In recap:

1. Centralized distribution, baseline management and automated repair via Avatar.
2. Centralized control and intelligence via CIT. (Closing the loop.)
3. Real time control using Miniweb.

This is in addition to all of the other functionalities that can be fulfilled using the product.