1.6 Threat vectors & attack surfaces
📘CompTIA Security+ SY0-701
1. What Is a Threat Vector?
A threat vector is the path or method an attacker uses to reach a target system or user in order to deliver a malicious attack.
In simple terms, it’s how a cyberattack gets in — like a “doorway” that attackers use to reach their victim.
🧠 2. What Is an Attack Surface?
An attack surface is the total number of possible entry points that an attacker could exploit in a system, network, or organization.
For example, every user’s email account, mobile phone, and messaging app add to the organization’s total attack surface.
📬 3. Message-Based Threat Vectors
Message-based vectors are attack methods that use communication messages to reach users and deliver malicious content.
Attackers know that humans are often the weakest link in security.
So, they target message channels people use every day — like email, SMS (text messages), and instant messaging (IM) platforms.
Let’s go through each one carefully.
✉️ 4. Email-Based Threats
Definition:
Email-based threats are attacks delivered through email messages.
They often use attachments, links, or social engineering to trick users into opening something harmful.
Common Types:
1. Phishing
- The attacker sends a fake email that looks legitimate.
- The goal is to make the user reveal personal information (like login credentials or financial info) or click on a malicious link.
- Example in IT: An email looks like it’s from the company’s IT department asking users to “verify your password” using a link.
2. Spear Phishing
- A more targeted form of phishing.
- The attacker customizes the email for a specific person or group, using real details to look more convincing.
- Example: Targeting a finance manager using their real name and company information.
3. Whaling
- A special type of spear phishing aimed at high-profile individuals, like executives or directors.
- These attacks often request urgent payments or sensitive business data.
4. Business Email Compromise (BEC)
- The attacker impersonates a trusted person or partner to trick employees into making wire transfers or sharing sensitive info.
- Attackers may even take control of real business accounts.
5. Malicious Attachments
- Emails with infected files (like PDFs, Word documents, or ZIP files) that install malware once opened.
6. Malicious Links
- Emails that contain links to fake websites that look legitimate but are designed to steal credentials or download malware.
7. Spam and Scams
- Unwanted bulk messages that may contain ads, fake offers, or links to malicious sites.
Security Controls for Email Threats:
| Control | Description |
|---|---|
| Email Filtering | Scans emails for spam, phishing content, or malware before they reach users. |
| Anti-malware Scanning | Checks attachments and links for viruses or malicious code. |
| Sender Authentication (SPF, DKIM, DMARC) | Verifies if the sender’s email server is legitimate. |
| User Awareness Training | Teaches users how to spot phishing and suspicious emails. |
| Sandboxing | Opens attachments in an isolated environment to detect harmful behavior safely. |
📱 5. SMS-Based Threats (Smishing)
Definition:
Smishing (SMS phishing) is when attackers send malicious text messages to trick users into revealing personal information or clicking on harmful links.
How It Works:
- The attacker sends a text message that appears to come from a trusted organization (like a company, delivery service, or bank).
- The message may include:
- A link to a fake website.
- A phone number that connects to the attacker.
- A request for personal or account details.
Risks from Smishing:
- Users might download malware onto their mobile devices.
- Attackers might steal credentials or financial details.
- Compromised mobile devices can give attackers access to company networks (especially if mobile devices are used for work).
Security Controls for SMS Threats:
| Control | Description |
|---|---|
| Mobile Device Management (MDM) | Allows the organization to control and secure employee mobile devices. |
| User Awareness | Training users to verify unknown links or numbers before responding. |
| Filtering by Carrier or Security Apps | Some mobile providers block known smishing sources. |
| Disable Automatic Link Previews | Prevents automatic loading of potentially dangerous links. |
💬 6. Instant Messaging (IM)-Based Threats
Definition:
IM-based threats use chat applications like Microsoft Teams, Slack, WhatsApp, or other enterprise messaging tools to deliver malicious content.
How Attackers Use IM:
- Malicious Links
- Attackers send harmful URLs disguised as legitimate links in chat messages.
- Malware Files
- Attackers share files (like “updates,” “documents,” or “reports”) that contain malware.
- Social Engineering
- Attackers pretend to be coworkers or IT staff to request sensitive info or login credentials.
- Compromised Accounts
- If one user’s IM account is hacked, attackers can use it to spread malware across the organization’s network.
- Data Leakage
- Employees might unintentionally share confidential data through unsecured IM platforms.
Security Controls for IM Threats:
| Control | Description |
|---|---|
| Access Control | Only authorized users should be allowed on company IM platforms. |
| Monitoring and Logging | Track IM activity for suspicious behavior or large data transfers. |
| Security Policies | Create clear rules for what can or cannot be shared via IM. |
| Endpoint Protection | Ensure antivirus and firewall software scans downloaded IM files. |
| Encryption | Use end-to-end encryption for secure messaging. |
🔒 7. Key Takeaways for the Exam
| Concept | Explanation |
|---|---|
| Threat Vector | The path attackers use to reach a target (email, SMS, IM). |
| Attack Surface | The total number of possible entry points for attacks. |
| Message-Based Vectors | Threats that use communication channels to deliver attacks. |
| Email Attacks | Phishing, spear phishing, malicious attachments, BEC. |
| SMS Attacks (Smishing) | Malicious text messages with fake links or numbers. |
| IM Attacks | Malicious links, malware files, or impersonation on chat apps. |
| Mitigations | Email filtering, mobile security, user training, endpoint protection, authentication tools (SPF/DKIM/DMARC). |
🧩 8. Exam Tip
When you see message-based threat vectors on the Security+ exam, remember:
- They target communication channels (email, SMS, IM).
- The main goal is to trick users through social engineering.
- Prevent them using technical controls (filters, authentication) and human controls (training, awareness).
