VRT New Vulnerability Addition Request - Indicators of Attack

[miguelsantareno]

Hello,

After checking Bugcrowd VRT on GitHub I decided to send this email to suggest this change -> VRT Addition - Indicators of Attack

codingo commented on Mar 1, 2019, the following issue #224

“Currently the VRT doesn't cater for situations where a compromise has occurred, and proof is available. “

In this case Indicator of Attack is the “pre-stage” of the Indicator of Compromise.

While Indicators of Compromise shows where a compromise has occurred and proof is available, Indicators of Attack shows that an attack is likely to be in progress or there is a malicious intent to.

Where a couple of public references:

• https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/ioa-vs-ioc/
• https://www.sentinelone.com/cybersecurity-101/threat-intelligence/indicators-of-attack-ioa/

The VRT Category would be Indicators of Attack, and the description of the issue would be different.

CVSS Score would depend on the indicator as well as Remediation.

CWE would be null.

[TimmyBugcrowd]

Thanks a lot for raising this and for backing it with solid references.

The distinction between IoAs and IoCs is definitely important in threat detection, but since the VRT is primarily focused on actionable, exploitable vulnerabilities with clear impact, we're leaning toward the view that IoAs might be outside its current scope. The subjectivity of IoAs, lack of repro steps, and absence of CWE mappings make them hard to standardize across programs.

That said, we're open to hearing more, especially if you have an example where an IoA directly led to a security issue that couldn't be captured by an existing VRT category. Let us know what your thoughts are.

-Timmy

[miguelsantareno]

Hello @TimmyBugcrowd,

I can give you an example of a IoAs.

A open redirect saved on google cache or search engige that is currently exploiting to redirect users to porn website.

I got other report market as subdomain takeover but it was also an IoA because it was currently redirecting to porn after the bug was exploited.

I had that on bugcrowd and put it on IOC but it was a IOAs meaning that the vulnerebilidade is beeing exploited in the wild.

Like CISA advisories for CVE are IOAs because they are the trending vulnerabilities currently beeing exploited in the wild.

Hope this help.

Regards
MS

[miguelsantareno]

Hello @TimmyBugcrowd,

As a bug bounty hunter if I can notice the client that currently is behing exploit with IoAs insteed of sending IOCs it would be much more benefecial.

Regards
MS

[miguelsantareno]

Hello @TimmyBugcrowd,

Any update :)

Regards
MS

[TimmyBugcrowd]

Hi @miguelsantareno

Sorry for the late response on this. Giving your context I can think of a VRT entry with no Priority(Varies). What do you think?

[miguelsantareno]

Hello @TimmyBugcrowd,

Yes I agree with that, the same as IoCs in terms of Prority.

Regards
MS

[TimmyBugcrowd]

Will be added with the next release. Thank you

[miguelsantareno]

Thank you @TimmyBugcrowd