Threat actors, malware types, social engineering, attack vectors, and vulnerability categories. Weight: ~22% of exam.
A threat actor is any entity that poses a risk to your systems (CompTIA, 2023). The exam tests you on matching actor TYPE to their likely MOTIVATION and SOPHISTICATION level (CompTIA, 2023).
The key exam distinction is how malware spreads and what it does (CompTIA, 2023). Know these pairs cold (Souppaya & Scarfone, 2013):
| Type | Spreads How? | What It Does | Exam Clue |
|---|---|---|---|
| Virus | Requires user action (open file) | Attaches to/infects other files | "Needs a host file" |
| Worm | Self-replicating, no user action | Spreads across networks | "Spreads itself" |
| Trojan | Disguised as legitimate software | Opens backdoor, drops payload | "Looks innocent" |
| Ransomware | Email, exploit kits | Encrypts files, demands payment | "Pay to decrypt" |
| Rootkit | Exploits, trojans | Hides at OS/firmware level | "Hardest to detect/remove" |
| Keylogger | Trojan, physical | Records keystrokes | "Steals credentials" |
| Spyware | Drive-by download | Monitors and exfiltrates data | "Watches silently" |
| Botnet/Bot | Worm, trojan | C2 controlled, used for DDoS/spam | "Command & Control" |
Ransomware and extortion techniques were involved in 32% of all breaches in 2023, highlighting the persistent financial motivation behind malware deployment (Verizon, 2024). Rootkits operate at the OS or firmware level and are among the most difficult malware categories to detect and remove (Stallings & Brown, 2023).
Social engineering exploits human psychology, not technical vulnerabilities (Cialdini, 2007). The exam loves scenario questions: read the scenario, identify the attack type (CompTIA, 2023). The 2024 DBIR found that 68% of breaches involved a non-malicious human element, such as falling victim to a social engineering attack (Verizon, 2024).
| Attack | Vector | Key Feature |
|---|---|---|
| Phishing | Email (mass) | Generic "click this link" to many targets |
| Spear Phishing | Email (targeted) | Uses victim's name, role, or context |
| Whaling | Targeted at executives (C-suite) | |
| Vishing | Voice/phone call | "Your account has been compromised, verify now" |
| Smishing | SMS text | Malicious link in a text message |
| Pretexting | Any channel | Attacker fabricates a scenario/identity |
| Baiting | Physical (USB drop) | Leave infected USB in parking lot |
| Tailgating | Physical | Following someone through a secure door |
These are the six principles of influence that social engineers exploit (Cialdini, 2007). The exam may ask which principle is being used (CompTIA, 2023). Phishing remains one of the most prevalent initial access vectors across all industries (CISA et al., 2023).
DoS vs DDoS: A DoS (Denial of Service) comes from one source. A DDoS (Distributed DoS) comes from many — typically a botnet (Stallings & Brown, 2023). Both overwhelm a target with traffic or requests, disrupting service availability (NIST, 2012).
SQL injection and XSS are ranked among the most critical web application security risks (OWASP, 2021). Buffer overflow vulnerabilities result from insufficient input validation and can allow arbitrary code execution (Stallings & Brown, 2023).
The Cyber Kill Chain (Lockheed Martin) describes the 7 stages of an advanced attack, from initial reconnaissance through to the final objective (Hutchins et al., 2011):
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques (TTPs) based on real-world observations (MITRE, 2024). Used by security teams to map real-world attack behaviors, it enables defenders to anticipate and detect adversary actions. The exam expects you to know it exists and its purpose — not memorize every technique (CompTIA, 2023).
The Diamond Model analyzes attacks through four points: Adversary, Infrastructure, Capability, Victim — useful for threat intelligence correlation (Stallings & Brown, 2023).
A vulnerability is a weakness. A threat exploits it. A risk is the probability × impact (NIST, 2012). Know this triangle cold (CompTIA, 2023). Misconfigurations remain the most common real-world vulnerability category, while supply chain attacks — exemplified by the 2020 SolarWinds compromise — represent an increasingly prevalent threat vector (CISA & FBI, 2020; Verizon, 2024).
| Term | Definition | Key Detail |
|---|---|---|
| Zero-day | Unknown vulnerability, no patch exists | Most dangerous — no defense except behavior monitoring (CompTIA, 2023) |
| CVE | Common Vulnerabilities and Exposures | Standardized ID: CVE-2024-XXXXX (MITRE, 2024) |
| CVSS | Common Vulnerability Scoring System | 0–10 severity score; drives patch priority (CompTIA, 2023) |
| Misconfiguration | Default settings, open ports, weak ACLs | Most common real-world vuln category (Verizon, 2024) |
| Supply Chain | Compromise via third-party software/hardware | SolarWinds is the canonical example (CISA & FBI, 2020) |
| Weak Credentials | Default/reused/simple passwords | Mitigated by MFA, PAM, password policy (NIST, 2012) |
CVE identifiers and CVSS scores provide a standardized framework for communicating vulnerability severity and guiding patch prioritization decisions (Stallings & Brown, 2023; CompTIA, 2023).
Cialdini, R. B. (2007). Influence: The psychology of persuasion (rev. ed.). HarperCollins.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide (NIST Special Publication 800-61 Rev. 2). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-61r2
CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, & NCSC-UK. (2023). People’s Republic of China state-sponsored cyber actor living off the land to evade detection (Advisory AA23-144A). Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
CISA & FBI. (2020). Ransomware activity targeting the healthcare and public health sector (Alert AA20-302A). Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
CompTIA. (2023). CompTIA Security+ SY0-701 certification exam objectives (Version 6.0). CompTIA. https://www.comptia.org/certifications/security
FBI, CISA, & U.S. Treasury. (2022). TraderTraitor: North Korean state-sponsored APT targets blockchain companies (Advisory AA22-108A). Cybersecurity and Infrastructure Security Agency. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains [White paper]. Lockheed Martin Corporation. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
MITRE. (2024). MITRE ATT&CK®: Adversarial tactics, techniques, and common knowledge. The MITRE Corporation. https://attack.mitre.org/
MITRE. (2024). Common vulnerabilities and exposures (CVE). The MITRE Corporation. https://cve.mitre.org/
National Institute of Standards and Technology. (2012). Computer security incident handling guide (NIST Special Publication 800-61 Rev. 2). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-61r2
OWASP Foundation. (2021). OWASP Top 10:2021 — The ten most critical web application security risks. OWASP. https://owasp.org/Top10/
Souppaya, M., & Scarfone, K. (2013). Guide to malware incident prevention and handling for desktops and laptops (NIST Special Publication 800-83 Rev. 1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-83r1
Stallings, W., & Brown, L. (2023). Computer security: Principles and practice (5th ed.). Pearson.
Verizon. (2024). 2024 data breach investigations report. Verizon Business. https://www.verizon.com/business/resources/reports/dbir.html