Domain 2 of 5 · Chapter 2 of 6

Threat Vectors and Attack Surfaces

Vector vs. attack surface, and the technical vectors

A threat vector is the route of one intrusion (one email, one open port, one rogue USB drive) while the attack surface is the aggregate of every such point an attacker could touch, and keeping that one/aggregate line straight is what objective 2.2 keeps testing. SY0-701 asks you to explain common threat vectors and attack surfaces, and CompTIA's own objective summary names the families in one breath: "message-based, unsecure networks, social engineering, file-based, voice call, supply chain, and vulnerable software vectors"[1]. Objective 2.2 sits in Domain 2, Threats, Vulnerabilities, and Mitigations, which is 22% of the scored exam[1], the second-heaviest domain, so this content is worth real study time. The overview drew the core line; this section makes it operational and walks every technical vector cell by cell.

The two terms are not interchangeable

A threat vector (attack vector) is the route of a single intrusion, one email, one open port, one rogue USB drive. The attack surface is the aggregate: every point an attacker could touch. NIST defines an attack surface as "the set of points on the boundary of a system, a system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from"[2] it. The exam's recurring framing follows from that definition: a vector is the how/where of one attack; the attack surface is the total exposure you are trying to shrink. Attack surface reduction is therefore not a single control but a discipline, close unused service ports, change default credentials, decommission unsupported software, disable unused Bluetooth/wireless radios, segment networks, and minimize accounts, and each removal eliminates whole vectors before they can be used. (The final section reuses this list as the exam-correct answer to a "BEST way to reduce the attack surface" item.) The figure below groups the vector families, technical, human, and supply-chain, modeled on CompTIA's own Objective 2.2 vector list.

Message, file, image, and voice vectors

These are delivery vectors, they carry a payload or a lure to a human or an application.

Vector What it is Typical control
Message-based Email, SMS, and instant messaging that deliver a link, attachment, or lure Secure email gateway, link rewriting, anti-spam/anti-phishing filtering, user training
File-based Malicious code inside a document, script, archive, or executable the user opens Attachment sandboxing/detonation, application allowlisting, macro disablement
Image-based Malicious payloads hidden in image files (steganography, malformed parsers) Content disarm and reconstruction, file-type validation, patched image libraries
Voice call Live or automated phone calls (the channel for vishing, voice phishing, defined under Human vectors below) Caller-ID scrutiny, call-back verification, awareness training
Removable device USB drives, external media used to introduce malware or exfiltrate data Device-control/USB blocking policy, disabling autorun, port lockdown

Note the exam pairing: a phishing email is a message-based vector even though the harm comes from a file-based attachment it carries, CompTIA may classify by the delivery channel or by the payload container depending on the stem's emphasis.

Network, software, and credential exposure vectors

These expand the attack surface by leaving something reachable that should not be.

  • Unsecure networks: open or weakly secured wireless (no/weak encryption, rogue APs), flat wired LANs with no segmentation, and discoverable Bluetooth radios. The control is encryption plus segmentation plus disabling unneeded radios.
  • Open service ports: every listening port is a potential entry point. NIST's Technical Guide to Information Security Testing and Assessment (SP 800-115)[3] frames network port and service identification as a core discovery technique precisely because exposed listening services are where attackers start; the mitigation is to inventory listening ports and firewall or close anything not required (never leave RDP/3389, SMB/445, or admin panels internet-facing).
  • Default credentials: factory usernames/passwords left on routers, IoT, databases, and admin consoles are a one-step compromise. The control is to change every default before deployment.
  • Vulnerable and unsupported software: software with a known, patchable flaw is a vector until you update it; unsupported (end-of-life) software is a standing vector because the vendor ships no patches at all, so a known CVE stays exploitable indefinitely. Replace it, or isolate and compensate with segmentation and virtual patching.
Threat vectors Technical vectors Social engineering Supply chain Message-based / File-based / Image-based Voice call (vishing) / Removable device Unsecure networks / Open service ports / Default credentials / Vulnerable / unsupported software Detailed under Human vectors Detailed under Supply chain
The SY0-701 Objective 2.2 threat-vector families: technical vectors (delivery, voice/removable, and network/software exposure), plus social engineering and supply chain.

Human vectors: social engineering by channel and tell

Social engineering attacks the person, not the software flaw. It exploits trust, urgency, authority, fear, and helpfulness to make a human take an action that bypasses technical controls. Because the exploit is the user, the primary controls are security awareness training plus process controls such as out-of-band verification of any payment or credential change, not a patch. SY0-701 expects you to name each technique by its channel and its tell-tale sign, so master the discriminators below rather than memorizing definitions in isolation. The figure below groups the techniques the same way this section does: by channel (which medium carried the lure), by the story the attacker tells, and by the site or content abused.

Channel-specific lures: phishing, vishing, smishing

The three are the same deception delivered over different channels, and the exam tests the channel word:

  • Phishing: fraudulent email, usually bulk, with a spoofed sender and an urgent link to a fake login or a malicious attachment.
  • Spear phishing: targeted phishing aimed at a named individual using researched personal detail (more convincing, lower volume). Whaling is spear phishing aimed at a high-value executive.
  • Vishing: voice phishing over a phone call; the caller manufactures urgency or authority to extract data or trigger an action.
  • Smishing: SMS/text phishing; a short link or a callback number in an unsolicited message.

The single distinguishing fact is the medium: email = phishing, voice = vishing, SMS = smishing. A question that says "received a text message" is smishing even if the lure content looks identical to a phishing email.

Pretext, impersonation, BEC, and brand impersonation

These describe the story the attacker tells, independent of channel:

  • Pretexting: inventing a fabricated backstory or scenario ("I'm from IT and need to verify your password to fix your mailbox") that justifies the unusual request. Pretexting is the underlying technique many of the others ride on.
  • Impersonation: posing as a specific trusted person (a colleague, a help-desk agent, an executive) to lower the target's suspicion.
  • Brand impersonation: posing as a trusted company (spoofed logos, look-alike sites, fake support) rather than a specific person.
  • Business email compromise (BEC): the high-payoff variant: an attacker spoofs or hijacks an executive or vendor email account and requests a wire transfer or a change to payment/banking details. The tell is a money-movement or invoice-change request that appears to come from leadership or a known supplier. The exam-correct control is out-of-band verification (call a known number) before acting, not a reply to the email.

Watering hole, typosquatting, and information manipulation

  • Watering-hole attack: instead of attacking the target directly, the attacker compromises a legitimate third-party website the target group routinely visits, so the victims infect themselves when they browse a site they already trust. The tell is that a normally-trusted site begins serving malware.
  • Typosquatting: registering look-alike domains (misspellings or homoglyphs of a real brand, e.g. a swapped or doubled letter) to catch users who mistype a URL, then serving a phishing page or malware. It is a form of URL hijacking and overlaps with brand impersonation.
  • Misinformation and disinformation: manipulating decisions by spreading false content. Misinformation is false information spread without intent to deceive; disinformation is deliberately false content spread to mislead (an influence campaign). On SY0-701 the discriminator is intent: deliberate = disinformation. Both are recognized threat vectors because they shape human decisions and erode trust, and the control is awareness, source verification, and authoritative communication channels.
By channel Phishing (email) Spear phishing / Whaling Vishing (voice) Smishing (SMS) By story Pretexting Impersonation Brand impersonation Business email compromise (BEC) By site / content Watering hole Typosquatting Misinformation / disinformation
SY0-701 Objective 2.2 social-engineering techniques grouped by channel, by the story told, and by the site or content abused.

Supply chain and exam-pattern recognition

The last family in Objective 2.2 extends your attack surface beyond your own perimeter, and the section closes with the question shapes the exam actually uses so you can answer on recognition.

The supply chain is part of your attack surface

Every third party you trust, managed service providers (MSPs), hardware vendors, software suppliers, and open-source dependencies, is reachable as a vector because a compromise of any of them arrives through a trusted channel and installs with full trust. NIST's Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1)[4] frames this exactly: products and services can carry malicious functionality or vulnerabilities from poor development and manufacturing practices, and the risk must be managed across the whole supply chain.

  • MSP: an MSP with broad remote access is a single point through which many of its customers can be breached at once; scope it into the attack surface with least-privilege access and monitoring.
  • Vendor / supplier: a tampered hardware component or a malicious update pushed through a legitimate software supplier (a software-supply-chain attack) installs with trust the user never questions.
  • Controls: vendor due-diligence and security attestations, contractual security requirements, least-privilege access for third parties, code signing and integrity verification of updates, and a software bill of materials (SBOM) so you know which dependencies you actually run.

Exam-pattern recognition for Objective 2.2

Vector questions cluster into a few repeatable shapes. Name the pattern and the answer follows.

Pattern 1: "Which social-engineering technique is this?" The stem describes a scenario and the options are technique names. Decide by the channel and the story: a phone call = vishing; a text = smishing; an email = phishing (targeted/personalized = spear phishing); a money/invoice-change request from a spoofed exec = BEC; a fabricated justification story = pretexting; a compromised trusted site = watering hole; a misspelled look-alike domain = typosquatting. The classic trap is choosing "phishing" for a voice or SMS scenario: match the medium word in the stem.

Pattern 2: "Which is the threat vector here?" The options mix a vector with an actor, a payload, or a control. Pick the route in. Remember the boundaries: the actor and motive (nation-state, hacktivist, insider) belong to Threat Actors and Motivations; the payload behavior after entry (ransomware, worm, trojan, rootkit) belongs to Malware and Malicious Activity; a flaw classification (buffer overflow, misconfiguration, race condition) belongs to Vulnerability Types; and the defensive control (segmentation, patching, hardening) belongs to Mitigation Techniques. A phishing email is the vector; the trojan it drops is malware, distinct exam topics.

Pattern 3: "BEST way to reduce the attack surface." The goal is fewer entry points, so the right answer is one of the attack-surface-reduction moves introduced in the opening section, closing ports, changing defaults, retiring unsupported software, disabling unused radios, segmenting, or minimizing accounts, each of which removes a vector. The discriminator the exam tests is removal versus detection: the wrong answer typically adds a detective layer (more logging), which is useful but does not shrink the surface because nothing is eliminated. NIST's Technical Guide to Information Security Testing and Assessment (SP 800-115)[3] underscores why inventorying and closing listening services is the highest-leverage move: those exposed ports are precisely where assessment (and attack) begins.

Pattern 4: third-party / supply-chain scenario. A stem says a breach reached the company through an MSP, a vendor update, or an open-source dependency. The correct framing is that the third party is part of your attack surface, and the exam-right controls are due diligence, least-privilege vendor access, signed/verified updates, and an SBOM, aligned with NIST SP 800-161 Rev. 1[4]. The wrong answer treats the vendor as out of scope because "we didn't run the vulnerable code ourselves."

Social-engineering techniques: channel and tell-tale sign

TechniqueChannel / mediumTell-tale sign
PhishingEmail (bulk)Generic lure, spoofed sender, urgent link to fake login
Spear phishingEmail (targeted)Personalized to a named individual using researched detail
VishingVoice callCaller invents urgency/authority to extract data or action
SmishingSMS / textShort link or callback number in an unsolicited text
Business email compromise (BEC)Email (spoofed/hijacked exec or vendor)Wire-transfer or invoice change request from 'leadership'
PretextingAny (phone, email, in person)Fabricated backstory that justifies an unusual request
Impersonation / brand impersonationAny; often web/emailPoses as a trusted person or company to lower suspicion
Watering holeCompromised trusted websiteA site the target group routinely uses now serves malware
TyposquattingLook-alike domain / URLMisspelled or homoglyph domain mimicking a real brand
Misinformation / disinformationSocial media, web, messagingFalse (or deliberately deceptive) content shaping a decision

Decision tree

Social-engineering attack: delivered over a voice call? Yes Vishing (phone / voice phishing) No Delivered by SMS / text message? Yes Smishing (SMS phishing) No (email) Email requests a wire / payment-detail change from a spoofed exec or vendor? Yes Business email compromise (BEC) No Personalized to a named individual with researched detail? Yes Spear phishing (whaling if aimed at an exec) No (bulk) Phishing (bulk email lure) Channel-agnostic tells: fabricated story = pretexting; compromised trusted site = watering hole; look-alike domain = typosquatting; deliberate falsehood = disinformation. Verify out-of-band before acting.

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A vector is one route; the attack surface is every route summed

A threat vector (attack vector) is the specific route of a single intrusion: one phishing email, one open port, one rogue USB. The attack surface is the aggregate of every reachable entry point: each interface, port, service, account, device, and human. So the vector answers how this one attack got in, while the attack surface is the total exposure you work to shrink. The two terms are not interchangeable on the stem.

Trap Treating "attack vector" and "attack surface" as synonyms: the vector is one path, the surface is the sum of all of them.

Classify a delivery vector by its channel or its payload container

Message-based vectors deliver lures or payloads over a messaging channel: email, SMS, or instant messaging; file-based vectors hide malicious code inside a document, script, archive, or executable the user opens; image-based vectors conceal payloads within image files via steganography or a malformed parser. The categories overlap deliberately: a phishing email (message-based) can carry a weaponized attachment (file-based), so classify by whichever the stem emphasizes: the delivery channel or the payload's container.

Trap Forcing a phishing email with a malicious attachment into one bucket, when it is both message-based delivery and a file-based payload; classify by what the stem emphasizes.

1 question tests this
Voice-call vectors enable vishing; removable media carries malware in or data out

A voice-call vector is the phone channel exploited for vishing. A removable-device vector (USB sticks and external media) both introduces malware and exfiltrates data, and is countered by device-control/USB-blocking policy, disabling autorun, and physically locking down ports. The removable-media risk is two-directional: it is as much a covert exfiltration path as an infection path.

Trap Treating a USB drive as only an inbound malware-infection risk, overlooking that the same removable media is a covert outbound data-exfiltration path.

1 question tests this
Unsecure-network vectors are fixed by encryption and segmentation, not just logging

Unsecure-network vectors include open or weakly encrypted wireless (including rogue APs and evil-twin APs), flat unsegmented wired LANs that let one foothold reach everything, and discoverable Bluetooth radios. Mitigate by closing the exposure itself: strong encryption (WPA2/WPA3), network segmentation, and disabling unneeded radios. Adding more logging is detective only: it watches the weakness without removing it.

Trap Answering "increase logging/monitoring" to reduce an unsecure-network vector: detection observes the exposure but does not shrink it.

Every listening port is an entry point: inventory and close what isn't needed

An open (listening) service port is a potential entry point and the first place attackers and assessors probe during discovery. Inventory listening ports and firewall or close anything not required; never leave high-value services such as RDP (3389), SMB (445), or admin consoles directly internet-facing, since those are top targets for brute-force and worm propagation.

Default credentials are a one-step compromise: change them before deployment

Factory-default usernames and passwords left on routers, IoT devices, databases, and admin consoles let an attacker in with a single publicly known value, and automated malware (e.g. Mirai) scans the internet for exactly these. The control is to change every default credential before the device goes into production: leaving a known default on a reachable device is a major, widely exploited risk.

Patchable software is a temporary vector; unsupported software is a standing one

Vulnerable software with an available patch is a vector only until you update it. Unsupported (end-of-life) software is a standing vector: the vendor ships no patches at all, so a known CVE stays exploitable indefinitely, which is why the exam-correct treatment for EOL is replacement. When you can't replace it yet, isolate and compensate with segmentation and virtual patching.

Trap Answering "keep patching" for end-of-life software: the vendor issues no patches, so the fix is replacement (or isolation), not a patch that doesn't exist.

Phishing, vishing, and smishing are the same con over different channels

The three differ only by delivery channel: phishing = fraudulent email, vishing = voice/phone call, smishing = SMS/text. The exam tests the medium word, so a text-message scenario is smishing even when the lure reads exactly like a phishing email. Match the term to the channel named in the stem, not to the content of the message.

Trap Calling a text-message scam "phishing" because the lure sounds email-like: the SMS channel makes it smishing.

5 questions test this
Spear phishing is targeted; whaling targets the executive

Spear phishing is phishing aimed at a named individual using researched personal detail, trading volume for higher conviction. Whaling is spear phishing specifically directed at a high-value executive (CEO, CFO). Bulk, generic, untargeted email is plain phishing: the discriminator is how specific and senior the target is.

Trap Labeling a targeted lure aimed at the CFO "spear phishing" when the senior-executive target makes it whaling.

3 questions test this
Pretexting supplies the fabricated backstory other attacks ride on

Pretexting invents a scenario or backstory that justifies an unusual request, for example posing as IT to "verify" a password. It is channel-agnostic and functions as a building block beneath many other social-engineering attacks rather than only as a standalone technique, so a stem that hinges on the believable cover story (not the delivery channel) is pointing at pretexting.

Trap Classifying an attack by its delivery channel when the stem turns on the fabricated cover story itself, which is what marks it as pretexting.

Impersonation borrows a person's trust; brand impersonation borrows a company's

Impersonation poses as a specific trusted person (a colleague, the help desk, an executive) while brand impersonation poses as a trusted company using spoofed logos, look-alike sites, or fake support pages. Both work by borrowing existing trust to lower the target's suspicion; the discriminator is whether the disguise is an individual or an organization.

Trap Picking plain impersonation for a spoofed-logo fake support page, when posing as the company rather than a specific person makes it brand impersonation.

BEC moves money via a spoofed exec or vendor: verify out-of-band

Business email compromise (BEC) spoofs or hijacks an executive or vendor email account to request a wire transfer or a change to payment/banking details. The tell is a money-movement or invoice/banking-change request appearing to come from leadership or a supplier; the exam-correct control is out-of-band verification (call a known number) never a reply to the email itself, which may be attacker-controlled.

Trap Replying to the suspicious email to confirm the wire request: if the account is hijacked, you are confirming with the attacker; verify on a separately known channel.

A watering-hole attack poisons a site the targets already trust

A watering-hole attack compromises a legitimate third-party website the target group routinely visits, so victims infect themselves while browsing a site they already trust and the attacker never contacts them directly. Because the malware is served from a legitimate, hard-to-blacklist site, the tell is a normally-trusted site suddenly serving malware to a specific population.

Trap Reading a watering-hole attack as direct phishing, when the attacker never contacts victims and instead poisons a trusted site they choose to visit.

5 questions test this
Typosquatting registers look-alike domains to catch mistyped URLs

Typosquatting (a form of URL hijacking) registers misspelled or homoglyph domains that mimic a real brand to capture users who mistype an address, then serves a phishing page or drive-by malware. It overlaps with brand impersonation, so the discriminator is the deceptive domain name itself: a look-alike URL rather than a spoofed message or logo alone.

Trap Labeling a mistyped-URL look-alike domain as brand impersonation, when the deceptive domain name itself is the defining feature of typosquatting.

2 questions test this
Misinformation vs. disinformation turns entirely on intent

Misinformation is false information spread without intent to deceive (an honest error passed along); disinformation is deliberately false content spread to mislead, as in a coordinated influence campaign. On SY0-701 the single discriminator is intent: deliberate falsehood is disinformation. Both are recognized threat vectors because they steer human decisions, and the controls are awareness, source verification, and authoritative channels.

Trap Calling deliberately planted false content "misinformation": intentional deception makes it disinformation.

Social engineering is countered by people and process, not a patch

Social engineering exploits the human (trust, urgency, authority, fear) rather than a software flaw, so the primary controls are security-awareness training plus process controls such as out-of-band verification of payment or credential changes. A technical fix like patching addresses a different problem; on a social-engineering stem the right answer is almost always training and verification procedure.

Trap Choosing "apply a patch" against social engineering: there is no software bug to patch; the exposure is human, so the answer is training and process.

1 question tests this
Supply chain extends your attack surface into trusted third parties

MSPs, hardware vendors, software suppliers, and open-source dependencies are part of your attack surface because compromising any of them reaches you through a trusted channel that installs with full trust. An MSP with broad remote access can breach many customers from one foothold, and a malicious update from a legitimate supplier installs without question: the trust that makes the relationship useful is exactly what the attacker rides in on.

Trap Scoping the attack surface to your own systems only, when trusted MSPs, suppliers, and dependencies reach you through channels that install with full trust.

7 questions test this
Manage supply-chain risk with due diligence, code signing, and an SBOM

Control supply-chain (MSP/vendor/supplier) risk with vendor due-diligence and security attestations, contractual security requirements, least-privilege access for third parties, code signing and integrity verification of updates, and a software bill of materials (SBOM) that enumerates exactly which dependencies you actually run. The SBOM is what lets you answer "are we affected?" fast when a dependency is found vulnerable.

Trap Reaching for a vulnerability scanner to answer "are we affected?" when an SBOM is what instantly enumerates which dependencies you actually run.

6 questions test this
Reduce the attack surface by removing exposure, not by watching it

The most effective way to reduce an attack surface is to remove or harden entry points: close unused service ports, change default credentials, decommission unsupported software, disable unused Bluetooth/wireless radios, segment the network, and minimize accounts. Adding a detective layer such as more logging does not shrink the surface: it only observes it, so on a "BEST way to reduce the attack surface" item the answer is elimination, not detection.

Trap Picking "add monitoring/logging" as the best way to reduce the attack surface: detection watches exposure without eliminating it.

Hardware implants and firmware tampering ride in below the OS

A hardware supply-chain compromise inserts unauthorized chips or modified firmware into a device during manufacturing or shipment, before it ever reaches the buyer. Because the implant lives below the OS, it evades antivirus and host IDS and mimics a legitimate component, so detection relies on physical inspection and firmware-integrity checks rather than software scanning, and buying from unauthorized resellers raises the risk.

Trap Trusting antivirus/EDR to catch a firmware implant: it operates beneath the OS, so software scanning can't see it; detection is physical and firmware-integrity based.

8 questions test this
Dependency confusion wins by publishing a higher-versioned public look-alike

In a dependency-confusion attack the adversary publishes a malicious package to a public repository using the exact name of a victim's internal/private package but with a higher version number. The package manager's resolution logic prefers the higher version, so it fetches the attacker's public package instead of the intended internal one and executes its code during the build. The defense is scoping/namespacing internal packages and pinning trusted sources so a public higher version can't win.

Trap Assuming a private package always beats a public one of the same name: the resolver picks the higher version number, which the attacker simply sets larger.

4 questions test this
Bluesnarfing silently steals data over Bluetooth; bluejacking only pushes messages

Bluesnarfing exploits a Bluetooth connection (often via the OBEX protocol on a discoverable device) to covertly copy data such as contacts, calendar entries, and emails without the owner's consent. Contrast bluejacking, which only pushes unwanted messages to a device and steals nothing; bluesnarfing exfiltrates data. The roughly 10-meter proximity requirement makes crowded public areas the typical setting, and disabling discoverability is the basic defense.

Trap Confusing bluesnarfing with bluejacking: bluejacking merely sends unsolicited messages, while bluesnarfing actually copies data off the device.

4 questions test this

References

  1. CompTIA Security+ (SY0-701) certification
  2. Attack surface (NIST glossary)
  3. Technical Guide to Information Security Testing and Assessment (SP 800-115) Whitepaper
  4. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1) Whitepaper