← CompTIA Security+ Threats & Attacks

CompTIA Security+ Certification Study Guide

Key concepts, definitions, and exam tips organized by topic.

36 cards covered

CompTIA Security+ Threats & Attacks Study Guide


Overview

This study guide covers the core threat and attack concepts tested on the CompTIA Security+ exam, including malware classifications, social engineering techniques, network and application attacks, and threat intelligence frameworks. Understanding both how each attack works and why it is effective is essential for exam success and real-world security practice. Mastery of these topics will prepare you for scenario-based questions that require you to identify, differentiate, and respond to various attack types.


---


Malware Types


Summary

Malware encompasses any software designed to disrupt, damage, or gain unauthorized access to systems. The Security+ exam tests your ability to identify malware by its behavior, not just its name. Focus on propagation methods, persistence mechanisms, and detection challenges.


Key Malware Definitions


| Malware Type | Core Behavior | Key Distinguishing Feature |

|---|---|---|

| Trojan Horse | Disguises itself as legitimate software | Does not self-replicate; relies on user execution |

| Virus | Attaches to a host file | Requires user action and a host file to spread |

| Worm | Self-replicates across networks | Spreads without a host file or user interaction |

| Rootkit | Hides malware and gains privileged access | Conceals presence from the OS and security tools |

| Ransomware | Encrypts files and demands payment | Objective is financial extortion via decryption key |

| Logic Bomb | Dormant code triggered by a condition | Triggered by date, time, or specific user action |

| Keylogger | Records keystrokes | Primarily captures passwords and sensitive input |

| Spyware | Secretly monitors and exfiltrates user data | Sends data to third party without user knowledge |

| Adware | Displays unwanted advertisements | May not capture sensitive data (less malicious than spyware) |

| Botnet/Zombie | Network of compromised machines | Controlled by botmaster; used for DDoS, spam, credential stuffing |

| Fileless Malware | Operates entirely in RAM | Leverages PowerShell/WMI; no files written to disk |


Key Terms

  • Botmaster/C2 (Command and Control): The attacker and infrastructure used to control botnet zombies
  • Persistence: The ability of malware to survive reboots and removal attempts
  • Payload: The malicious action carried out by malware after infection
  • Propagation: The method by which malware spreads to additional systems

    • Watch Out For

    > ⚠️ Trojan vs. Virus vs. Worm — This is a classic exam trap. Remember: Trojans don't replicate, viruses need a host file, and worms need neither. Questions may describe behavior and ask you to name the type.


    > ⚠️ Fileless Malware Detection — Exam questions may ask why fileless malware evades detection. The answer is always that it lives in memory (RAM), not on disk, so file-scanning antivirus tools miss it.


    > ⚠️ Logic Bomb vs. Ransomware — A logic bomb waits for a trigger before executing. Ransomware immediately encrypts data. Do not confuse a time-delayed ransomware delivery with a logic bomb.


    > ⚠️ Spyware vs. Adware — Spyware steals sensitive data; adware displays ads. Adware is annoying but not necessarily data-stealing.


    ---


    Social Engineering


    Summary

    Social engineering exploits human psychology rather than technical vulnerabilities. Attackers manipulate victims by leveraging trust, authority, urgency, and fear. The Security+ exam heavily tests your ability to distinguish between similar attack types and understand the psychological principles behind them.


    Social Engineering Attack Types


    #### Phishing Variants

  • Phishing: Mass deceptive emails designed to steal credentials or deliver malware
  • Spear Phishing: Targeted phishing using personalized details about the victim or organization
  • Whaling: Spear phishing directed specifically at executives (CEO, CFO, board members)
  • Vishing: Phishing conducted over voice/phone calls (impersonating banks, IT support, government)
  • Smishing: Phishing delivered via SMS/text messages

    • #### Manipulation Techniques

  • Pretexting: Creating a fabricated, believable scenario (e.g., posing as an auditor or IT tech) to extract information
  • Tailgating/Piggybacking: Physically following an authorized person through a secured access point without credentials
  • Watering Hole Attack: Compromising a website that the target group frequently visits to deliver malware passively

    • Principles of Social Engineering Influence

    | Principle | How It Is Exploited |

    |---|---|

    | Authority | Impersonating managers, law enforcement, or IT admins |

    | Urgency/Scarcity | "Your account will be locked in 24 hours" |

    | Social Proof | "Everyone else in your department has already done this" |

    | Intimidation | Threatening legal or professional consequences |

    | Trust/Familiarity | Referencing colleagues' names or recent company events |


    Key Terms

  • Pretexting: A fabricated scenario used to manipulate victims
  • Spear Phishing: Targeted, personalized phishing
  • Whaling: Spear phishing targeting executives
  • Tailgating: Unauthorized physical access by following an authorized person
  • Watering Hole: Infecting a site the target routinely visits

    • Watch Out For

    > ⚠️ Whaling vs. Spear Phishing — All whaling is spear phishing, but not all spear phishing is whaling. Whaling = executive-level targets specifically.


    > ⚠️ Tailgating vs. Pretexting — Tailgating is a physical attack. Pretexting is a psychological manipulation technique that can be used in person, over the phone, or online.


    > ⚠️ Watering Hole Attribution — This attack is often associated with nation-state/APT actors targeting specific industries. If an exam scenario describes a whole industry sector being compromised through websites, think watering hole.


    ---


    Network Attacks


    Summary

    Network attacks exploit weaknesses in protocols, configurations, and traffic flows. The Security+ exam tests your ability to identify attack types from scenario descriptions and understand which countermeasures are most appropriate.


    Attack Reference Table


    | Attack | Mechanism | Key Impact |

    |---|---|---|

    | DoS | Single source overwhelms target | Service unavailability |

    | DDoS | Multiple distributed sources (botnet) | Harder to block; massive scale |

    | MitM | Intercepts communications between two parties | Eavesdropping, data alteration |

    | ARP Poisoning | Fake ARP replies linking attacker's MAC to legitimate IP | Enables MitM on LAN |

    | DNS Cache Poisoning | Fraudulent DNS records injected into resolver cache | Redirects users to malicious sites |

    | Replay Attack | Captured credentials/tokens retransmitted later | Unauthorized access |

    | SSL Stripping | Downgrades HTTPS to HTTP via MitM | Exposes plaintext traffic |

    | Smurf Attack | ICMP flood using broadcast address with spoofed victim IP | DDoS amplification |


    Attack Deep Dives


    #### ARP Poisoning → MitM Chain

    1. Attacker sends forged ARP replies on the LAN

    2. Victim's ARP cache maps attacker's MAC to the gateway's IP

    3. All victim traffic is routed through the attacker's machine

    4. Attacker forwards traffic (invisible to victim) while capturing data


    #### Replay Attack Prevention

    The most effective controls are:

  • Timestamps — Tokens expire after a short window
  • Nonces — One-time random values that invalidate replayed tokens
  • Sequence numbers — Out-of-order or duplicate packets are rejected

    • #### SSL Stripping Countermeasure

  • HTTP Strict Transport Security (HSTS) forces browsers to only connect via HTTPS, preventing the downgrade

    • Key Terms

  • Botnet: Network of compromised machines used in DDoS attacks
  • Spoofing: Falsifying source information (IP, MAC, DNS records)
  • Amplification Attack: Using a reflector/multiplier to magnify attack traffic volume
  • Nonce: A one-time random value used to prevent replay attacks
  • HSTS: HTTP Strict Transport Security — prevents SSL stripping

    • Watch Out For

    > ⚠️ DoS vs. DDoS — The exam distinguishes these by source count. DoS = one source. DDoS = many distributed sources. If the scenario mentions a botnet, it's DDoS.


    > ⚠️ ARP Poisoning Scope — ARP operates only on the local network (LAN). ARP poisoning cannot be used directly over the internet.


    > ⚠️ DNS Poisoning vs. DNS Hijacking — Poisoning targets the cache of a DNS resolver. Hijacking typically modifies DNS settings on the victim's device or router. Know the difference.


    > ⚠️ Smurf Attack is Amplification — The amplification factor is the number of hosts on the broadcast network. This is a DDoS technique using ICMP.


    ---


    Application & Injection Attacks


    Summary

    Application attacks target vulnerabilities in software design and input validation. These are among the most common real-world attack vectors and are heavily tested on Security+. Understanding what the attack targets and how input validation prevents it is critical.


    Application Attack Types


    #### SQL Injection (SQLi)

  • Mechanism: Malicious SQL code inserted into an input field incorporated into a database query
  • Impact: Data exfiltration, authentication bypass, data modification/deletion
  • Prevention: Parameterized queries / prepared statements, input validation, least privilege database accounts

    • #### Cross-Site Scripting (XSS)

    | Type | How It Works | Scope |

    |---|---|---|

    | Stored (Persistent) XSS | Script saved to server database; executes for all users loading the page | Affects all users of the page |

    | Reflected (Non-Persistent) XSS | Script embedded in a URL; executes only when victim clicks the link | Affects only the specific victim who clicks |


    #### Buffer Overflow

  • Mechanism: Writes more data into a buffer than allocated, overwriting adjacent memory
  • Impact: Can overwrite return addresses and redirect execution to attacker-supplied code
  • Prevention: Input validation, address space layout randomization (ASLR), stack canaries, data execution prevention (DEP)

    • #### Cross-Site Request Forgery (CSRF)

  • Mechanism: Tricks an authenticated user's browser into sending unauthorized requests to a trusted web app
  • Key Insight: Exploits the site's trust in the user, not the user's trust in the site (opposite of XSS)
  • Prevention: Anti-CSRF tokens, SameSite cookie attribute, re-authentication for sensitive actions

    • #### Directory Traversal

  • Mechanism: Uses `../` sequences to navigate outside the web root and access unauthorized files
  • Impact: Exposes sensitive system files (e.g., `/etc/passwd`)
  • Prevention: Input sanitization, chroot jails, deny directory traversal patterns at the WAF

    • XSS vs. CSRF — Critical Comparison

    | | XSS | CSRF |

    |---|---|---|

    | Exploits trust of | User trusts the site | Site trusts the user |

    | Attack vector | Injected script executes in victim's browser | Forged request sent from victim's browser |

    | Prevention | Output encoding, CSP | Anti-CSRF tokens, SameSite cookies |


    Key Terms

  • Parameterized Queries: Prevents SQL injection by separating code from data
  • Input Validation: Checking and sanitizing user-supplied data before processing
  • ASLR: Address Space Layout Randomization — randomizes memory addresses to defeat buffer overflow exploitation
  • WAF: Web Application Firewall — filters malicious HTTP/S traffic

    • Watch Out For

    > ⚠️ XSS vs. CSRF Confusion — This is one of the most commonly confused pairs. Remember: XSS injects malicious scripts into a page; CSRF forges requests using the victim's authenticated session.


    > ⚠️ Stored vs. Reflected XSS Impact — Stored XSS is more dangerous because it affects every user who visits the page, not just a targeted individual.


    > ⚠️ Buffer Overflow ≠ Memory Leak — A buffer overflow actively writes beyond buffer bounds to execute malicious code. A memory leak is when memory is allocated but never released (a performance issue, not directly an exploit vector).


    ---


    Threat Intelligence & Attack Concepts


    Summary

    This section covers the strategic frameworks and concepts used to understand, categorize, and hunt threats. The Security+ exam expects familiarity with industry-standard models (Kill Chain, MITRE ATT&CK) and concepts like APTs, zero-days, and IoCs that appear in scenario-based questions.


    Advanced Persistent Threats (APTs)

  • Definition: Sophisticated, long-duration attacks by well-resourced actors maintaining stealthy persistence
  • Typical Actors: Nation-states, organized crime groups
  • Goals: Intelligence gathering, data exfiltration, sabotage (not smash-and-grab)
  • Characteristics: Low-and-slow tactics, custom malware, multiple attack vectors, long dwell times

    • The Cyber Kill Chain (Lockheed Martin)

    | Stage | Description |

    |---|---|

    | 1. Reconnaissance | Gathering information about the target |

    | 2. Weaponization | Creating a malicious payload (exploit + malware) |

    | 3. Delivery | Transmitting the weapon (email, USB, website) |

    | 4. Exploitation | Triggering the exploit on the victim's system |

    | 5. Installation | Installing malware/backdoor for persistence |

    | 6. Command & Control (C2) | Establishing communication channel to control the system |

    | 7. Actions on Objectives | Executing the attacker's goal (exfiltration, destruction) |


    > 💡 Key Insight: The Kill Chain model helps defenders identify which stage an attack is in and where to interrupt it. Stopping an attack at stage 1 (Reconnaissance) is more cost-effective than responding at stage 7.


    MITRE ATT&CK Framework

  • Purpose: Knowledge base of real-world adversary Tactics, Techniques, and Procedures (TTPs)
  • Use Cases:

    • - Threat detection and rule creation

    - Red/blue team exercise planning

    - Security gap analysis

    - Mapping observed behavior to known threat actor groups

  • Difference from Kill Chain: ATT&CK is more granular, covering specific techniques within each tactic, not just high-level stages

    • Zero-Day Vulnerabilities

  • Definition: A software flaw unknown to the vendor with no patch available
  • Why Dangerous: Defenders have zero days to prepare before exploitation
  • Typical Exploiters: APT groups, nation-states (due to high cost of obtaining zero-days)
  • Mitigation: Defense-in-depth, behavioral detection, network segmentation (cannot patch what you don't know about)

    • Indicators of Compromise (IoCs)

    Common IoC Examples:

  • • Unusual outbound network traffic (data exfiltration)
  • • Known malicious IP addresses or domain names
  • • Suspicious registry modifications
  • • Unexpected privileged account creation
  • • Malware file hashes (MD5, SHA-256)
  • • Anomalous process execution (e.g., Word spawning PowerShell)

    • Supply Chain Attacks

  • Mechanism: Compromise a trusted vendor, update mechanism, or hardware component to reach downstream customers
  • Why Effective: Victims inherently trust signed software updates and known hardware suppliers
  • Notable Example Pattern: Malicious code inserted into a legitimate software update package
  • Mitigation: Software bill of materials (SBOM), code signing verification, vendor security assessments

    • Threat Hunting vs. Incident Response

    | | Threat Hunting | Incident Response |

    |---|---|---|

    | Approach | Proactive | Reactive |

    | Trigger | Hypothesis-driven; analyst-initiated | Alert or detected event |

    | Goal | Find threats already in the network | Contain and remediate known incidents |

    | Assumption | Attacker may already be present | Attack is happening or has happened |


    Key Terms

  • APT: Advanced Persistent Threat — long-term, st
    • 📝

    Take a Practice Test

    Test yourself with multiple choice questions
    📇

    Study with Flashcards

    Flip through all 36 cards

    Want more study tools?

    Subscribe for $7.99/mo and turn your own notes into personalized flashcards and study guides.

    View Pricing