CompTIA Security+ Threats and Attacks

To defend a network effectively, you must first think like an attacker. For the CompTIA Security+ exam (SY0-701) and your cybersecurity career, mastering the modern threat landscape is not just about memorizing terms—it's about understanding how different threats operate, how to spot their footprints, and how to prioritize your response based on risk. This knowledge forms the critical foundation for all subsequent security controls and mitigation strategies.

Malware: The Digital Infection

Malware, or malicious software, is any program designed to harm or exploit a system. It remains a primary delivery mechanism for attacks. You must be able to distinguish between its key types, as the infection method and behavior dictate the response.

• Virus: Requires user interaction to execute and attaches itself to legitimate files or programs, spreading when the host file is shared. Think of it like a biological virus needing a host.
• Worm: A standalone program that self-replicates across networks without user action, often exploiting software vulnerabilities. Its rapid spread can consume bandwidth and system resources.
• Trojan Horse: Appears as legitimate, desirable software but performs malicious actions once installed, such as creating a backdoor. It does not self-replicate.
• Ransomware: Encrypts files or locks systems, demanding a ransom payment for restoration. It often propagates via phishing or exploiting unpatched services.
• Spyware & Keyloggers: Secretly monitors user activity, capturing keystrokes, screens, and personal data for exfiltration.
• Rootkits: Designed to gain privileged access (root-level) and hide its presence and other malware from the operating system and security tools.

An essential exam and real-world skill is identifying Indicators of Compromise (IoCs). For malware, these can include unusual network connections to known malicious IPs, unexpected changes to file integrity (like new .encrypted files), a sudden spike in CPU or disk activity, and the presence of unfamiliar processes or services running.

Social Engineering: Exploiting the Human Layer

The most sophisticated firewall can't stop a persuasive lie. Social engineering attacks manipulate human psychology to bypass technical controls. Understanding these techniques is crucial because they are a favored attack vector—the path or means by which an attacker gains access.

• Phishing: Fraudulent attempts, typically via email, to steal sensitive data. Spear phishing targets specific individuals or organizations, while whaling targets high-profile executives. Vishing (voice phishing) and smishing (SMS phishing) use other channels.
• Pretexting: The attacker creates a fabricated scenario (a pretext) to steal information. This often involves impersonating authority figures, like IT support or law enforcement, to build false trust.
• Baiting: Offers something enticing—a free USB drive labeled "Executive Salaries," for instance—to lure a victim into installing malware or divulging credentials.
• Tailgating & Piggybacking: Gaining physical access to a restricted area by following an authorized person (tailgating) or having an authorized person willingly hold the door (piggybacking).

The common goal is authorization bypass. Defenses are non-technical and revolve around comprehensive security awareness training, strict verification procedures (like multi-factor authentication), and clear reporting protocols for suspicious requests.

Application and Software Attacks

Attackers frequently target applications because they are complex and directly interface with data. These attacks exploit weaknesses in code, configuration, or design logic.

• Injection Attacks: An attacker inserts malicious code into a vulnerable program. SQL injection targets databases by manipulating input fields to run arbitrary SQL commands, potentially leading to data theft or destruction. Command injection attempts to execute OS commands on the host server.
• Cross-Site Scripting (XSS): Malicious scripts are injected into otherwise benign and trusted websites. When a victim's browser executes the script, it can steal session cookies, deface the site, or redirect the user. It targets the website's users, not the website itself.
• Buffer Overflow: By sending more data to a program's memory buffer than it was allocated to hold, an attacker can overwrite adjacent memory, potentially crashing the program or executing arbitrary code. This is a classic example of exploiting poor input validation.
• Cross-Site Request Forgery (CSRF): This attack tricks an authenticated user's browser into submitting a malicious request to a web application they are currently logged into, performing an unwanted action like transferring funds without their consent.

Defending against these requires a Secure Software Development Lifecycle (SDLC), which includes practices like thorough input validation, output encoding, and using parameterized queries for databases.

Network-Based Threats

These attacks target the protocols, services, and infrastructure that enable network communication. They aim to disrupt availability, intercept data, or gain a foothold.

• Denial-of-Service (DoS) & Distributed DoS (DDoS): Overwhelms a system's resources (bandwidth, CPU, memory) to render it unavailable. A DDoS uses a botnet—a network of compromised machines—to amplify the attack, making it far more difficult to mitigate.
• Spoofing: Falsifying data to masquerade as a trusted system. IP spoofing hides the source of an attack or impersonates a trusted host. MAC spoofing does the same at the data link layer. DNS spoofing/cache poisoning corrupts a DNS server's cache to redirect domain names to malicious IP addresses.
• Man-in-the-Middle (MITM): The attacker secretly intercepts and relays messages between two parties who believe they are communicating directly. This allows for eavesdropping or alteration of communications. Techniques like ARP poisoning on a local network or setting up a rogue Wi-Fi access point facilitate MITM attacks.
• Hijacking: Session hijacking involves stealing a valid session token (like a cookie) to take over a user's authenticated session. Clickjacking uses transparent layers on a webpage to trick users into clicking something different from what they perceive.

Countermeasures are layered: network segmentation, intrusion detection/prevention systems (IDS/IPS), encryption (like TLS), and strong authentication protocols help mitigate these threats.

Advanced Threats and Vulnerability Management

Moving beyond singular attacks, advanced threats like Advanced Persistent Threats (APTs) are prolonged, targeted campaigns where an intruder maintains undetected presence to steal data or monitor activity over time. They use a combination of the above techniques, often beginning with spear phishing.

Central to the Security+ exam is the ability to categorize vulnerabilities by severity. This is typically done by calculating risk based on factors like:

• Threat Actor Capability and Intent: Is it a script kiddie or a nation-state?
• Attack Vector Feasibility: How easy is it to exploit?
• Impact of a Breach: What is the value of the affected data or system (Critical, High, Medium, Low)?

This categorization, often formalized in a vulnerability scan report, dictates remediation priority (patching, configuration changes). A critical vulnerability on an internet-facing server containing personal data requires immediate action, while a low-severity flaw on an isolated test system may be scheduled for a standard update cycle.

Common Pitfalls

1. Confusing Attack Types: A classic exam trap is mixing up XSS and CSRF. Remember: XSS exploits trust in a website to attack users; CSRF exploits a user's trust in their browser to attack a website. Similarly, DoS disrupts availability, while spoofing is about impersonation.
2. Overlooking Physical and Social Vectors: Focusing solely on technical network attacks is a mistake. The exam and real-world scenarios will include social engineering and physical security breaches (like tailgating) as valid initial attack vectors.
3. Misprioritizing Vulnerabilities: Treating all vulnerabilities as equally urgent wastes resources. You must be able to justify prioritization based on severity, asset value, and exploitability, not just the raw number of flaws found.
4. Ignoring IoCs Until It's Too Late: Dismissing subtle signs like a single failed login from an unusual geography or a small, unexplained increase in outbound network traffic can allow an attacker to establish a stronger foothold. Early detection via IoC monitoring is key to limiting damage.

Summary

• Malware varies by propagation and payload; identifying its Indicators of Compromise (IoCs) is essential for early detection and containment.
• Social engineering bypasses technical controls by manipulating human psychology, with phishing, pretexting, and baiting as common techniques.
• Application attacks, such as injection, XSS, and buffer overflows, exploit software flaws and are mitigated by secure coding practices within the SDLC.
• Network-based threats like DDoS, spoofing, and MITM attacks target communication infrastructure and require layered defensive controls like segmentation and encryption.
• Effective security hinges on vulnerability management, which involves categorizing flaws by severity (Critical, High, Medium, Low) based on impact and exploitability to guide remediation efforts.