OBJECTIVE 2.2 Explain
Explain common threat vectors and attack surfaces
A threat vector is the path an attacker uses to reach a target. The attack surface is the total set of all possible entry points. Reducing attack surface and hardening vectors is foundational defense.
Message-Based Vectors
The most exploited vector in cybersecurity. Period.
- Phishing: Mass emails impersonating legitimate entities to steal credentials or deliver malware
- Spear-phishing: Targeted phishing aimed at specific individuals with personalized content
- Whaling: Spear-phishing targeting executives (CEO, CFO)
- Business Email Compromise (BECBusiness Email Compromise — Impersonating executives to authorize fraudulent transfers): Attacker compromises or impersonates a business email to authorize fraudulent transfers
- Malicious attachments: Weaponized Office docs (macro-enabled), PDFs, archive files
- Malicious links: URLs leading to credential harvesting pages or drive-by download sites
SMS (Smishing)
Phishing via text message. Exploits trust in SMSShort Message Service — Text messaging on mobile networks and mobile-first behavior.
- Fake shipping notifications, bank alerts, MFAMulti-Factor Authentication — Requiring multiple authentication factors codes
- Often includes shortened URLs to hide the destination
Instant Messaging
Phishing via Slack, Teams, Discord, WhatsApp.
- Exploits implicit trust within internal communication platforms
- Compromised accounts send malicious links to colleagues
Image-Based Vectors
- Malicious code embedded in image metadata (EXIF) or pixel data
- Steganographic payloads — data hidden in images that appears normal
- Exploits in image parsers (buffer overflows triggered by malformed image files)
File-Based Vectors
- Infected documents, executables, scripts distributed via email, file shares, downloads
- Polyglot files: files that are valid as multiple formats simultaneously (e.g., a file that’s both a valid PDF and a valid ZIP)
- Living-off-the-land: malicious scripts using built-in tools (PowerShell, bash) rather than dropped executables
Voice-Based (Vishing)
Social engineering over phone calls.
- Pretexting as ITInformation Technology — Broad term for computing infrastructure and services support, bank, government agency
- Deepfake voice technology makes impersonation more convincing
- Often combined with other vectors (call follows a phishing email to add urgency)
Removable Media
- USBUniversal Serial Bus — Standard connector for peripherals drives (dropped in parking lots, mailed to employees)
- USBUniversal Serial Bus — Standard connector for peripherals Rubber Ducky / BadUSB: Devices that appear as USBUniversal Serial Bus — Standard connector for peripherals drives but act as keyboards, injecting keystrokes
- Optical media, SD cards, external hard drives
- Exam tip: Removable media policies (disable autorun, restrict USBUniversal Serial Bus — Standard connector for peripherals ports, endpoint DLPData Loss Prevention — Prevents unauthorized data exfiltration) are the primary defense
Unsecure Networks
Wireless
- Evil twin: Rogue access point mimicking a legitimate network name (SSIDService Set Identifier — Wireless network name)
- Rogue APAccess Point — Device providing wireless network connectivity: Unauthorized access point connected to the corporate network
- Deauthentication attacks: Forcing clients off legitimate APAccess Point — Device providing wireless network connectivity to capture handshakes or redirect to evil twin
- Bluetooth attacks: Bluejacking (unsolicited messages), Bluesnarfing (data theft)
Wired
- Physical access to network jacks in lobbies, conference rooms, unsecured areas
- Network taps and inline devices
- ARPAddress Resolution Protocol — Maps IP addresses to MAC addresses poisoning on the local network
Vulnerable Software
Client-Based
- Unpatched browsers, email clients, office suites
- Browser extensions with excessive permissions
- Software supply chain attacks (compromised update mechanisms)
Agentless
- Vulnerabilities in network services that don’t require software installation on the target
- Exploiting exposed management interfaces, APIs, web applications
Open Service Ports
- Every open port is a potential entry point
- Common targets: RDPRemote Desktop Protocol — Port 3389. Microsoft remote access (3389), SSHSecure Shell — Port 22. Encrypted remote administration protocol (22), SMBServer Message Block — Port 445. Windows file sharing protocol (445), HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted)/S (80/443)
- Unnecessary services = unnecessary attack surface. If it’s not needed, disable it.
Default Credentials
- Factory-set usernames and passwords on routers, switches, cameras, IoTInternet of Things — Connected devices (cameras, sensors, appliances) devices
- Publicly documented and actively scanned by automated tools
- Exam staple: Default credentials are one of the most common and easily preventable vectors
Supply Chain Vectors
Managed Service Providers (MSPs)
- Compromise the MSPManaged Service Provider — Third party managing IT services → gain access to all their clients
- MSPs have privileged access across multiple organizations
- SolarWinds attack was a supply chain attack through a managed ITInformation Technology — Broad term for computing infrastructure and services tool
Vendors
- Third-party software, hardware, or services that become the attack path
- Pre-installed malware on hardware (documented cases with firmware implants)
- Compromised software updates (SolarWinds Orion, Codecov, Kaseya VSA)
Suppliers
- Upstream component providers whose compromise cascades downstream
- Hardware supply chain: tampered chips, intercepted shipments
- Open source dependencies: malicious packages in npm, PyPI, etc.
Human Vectors
Social Engineering
The art of manipulating people into breaking security procedures.
- Phishing — Broad deception via electronic communication
- Pretexting — Creating a fabricated scenario to extract information
- Impersonation — Posing as someone with authority (ITInformation Technology — Broad term for computing infrastructure and services admin, executive, vendor)
- Watering hole — Compromising websites the target frequently visits
- Typosquatting — Registering domains that mimic legitimate ones (gogle.com)
- Brand impersonation — Fake login pages, spoofed emails matching corporate branding
Misinformation/Disinformation
- Manipulating information to influence behavior
- Fake security alerts that trick users into installing “fixes” (malware)
Social Engineering Comparison
CompTIA loves “compare and contrast” on social engineering techniques:
| Technique | Method | What Attacker Wants | Key Indicator |
|---|---|---|---|
| Phishing | Mass email | Credentials, malware install | Generic greeting, urgency, mismatched URLs |
| Spear-phishing | Targeted email to specific person | Credentials, targeted data access | Personalized, references real projects/people |
| Whaling | Spear-phishing targeting executives | Wire transfers, strategic data | Impersonates board member, legal, or CFO |
| Vishing | Phone call | Information, credentials, wire transfer | Caller ID spoofing, authority/urgency |
| Smishing | SMSShort Message Service — Text messaging on mobile networks/text | Click link, install app, credentials | Shortened URLs, delivery/banking themes |
| Pretexting | Fabricated scenario (any channel) | Information, access, trust | Elaborate backstory, builds rapport first |
| Impersonation | Posing as authority figure | Physical access, information, compliance | Uniform, badge, confidence |
| Watering hole | Compromise frequently visited website | Malware delivery to specific group | Target-relevant website, drive-by download |
| Typosquatting | Fake domain (gogle.com) | Credentials, malware | URLUniform Resource Locator — Web address for accessing resources looks almost right, login page clone |
| Tailgating | Following authorized person through door | Physical access | No badge, “hands full” excuse |
| Shoulder surfing | Watching someone enter credentials | Credentials, PINs | Person positioned to see screen/keypad |
| Dumpster diving | Searching discarded materials | Documents, credentials, intel | N/A (physical) |
Social Engineering Decision Logic
| If the scenario describes… | The technique is… |
|---|---|
| ”CEO received personalized email referencing board meeting” | Whaling (spear-phishing targeting executive) |
| “All employees received email about password reset” | Phishing (mass, untargeted) |
| “Attacker called ITInformation Technology — Broad term for computing infrastructure and services help desk posing as new employee” | Vishing + pretexting |
”Fake website registered as arnazon.com” | Typosquatting |
| ”Attacker infected a security blog popular with the target org’s team” | Watering hole |
| ”Person followed employee through badge-controlled door” | Tailgating |
Attack Surface Management
The total attack surface = all possible vectors combined. Reducing it is a continuous process:
- Asset inventory — Can’t protect what you don’t know about
- Vulnerability scanning — Find what’s exposed
- Patch management — Close known holes
- Network segmentation — Limit blast radius
- Principle of least functionality — Disable everything that’s not needed
- Regular review — Attack surface changes with every new system, user, or integration
Offensive Context
An attacker’s reconnaissance phase maps exactly to this objective — they’re looking for the easiest vector with the highest payoff. Automated scanners test default credentials and open ports. OSINTOpen Source Intelligence — Intelligence gathered from publicly available sources reveals the org’s technology stack. Supply chain analysis identifies trusted third parties that might be softer targets. The defender’s job is to see their organization through the attacker’s eyes and make every vector as expensive as possible.