Threat Vectors and Attack Surfaces
What the Exam Is Really Testing
Think about it this way: a server can have a critical vulnerability, but if that server sits on an isolated network with no inbound connections, the risk is low. Why? Because there is no path for an attacker to reach it.
A vulnerability only matters if an attacker has a path to reach it. That path is the threat vector. The total collection of reachable entry points is the attack surface.
The exam builds on this distinction. You will see scenarios where you need to name the specific vector being used — email, SMS, USB, supply chain — and understand that reducing the number of reachable entry points is the most effective way to lower risk.
Message-Based Vectors
Message-based vectors are the most common initial access method tested on Security+. They exploit human trust and communication habits.
Email remains the dominant attack vector across all threat actor types. Attacks delivered via email include phishing links, malicious attachments, business email compromise, and credential harvesting forms.
Email is effective because it reaches users directly, bypasses network perimeter controls, and exploits trust in known senders. On the exam, email-based scenarios often test your ability to identify phishing indicators and recommend appropriate controls like email filtering, DMARC, and user training.
SMS (Smishing)
SMS-based attacks deliver malicious links or social engineering messages through text messages. They exploit the trust users place in mobile communications and the limited URL preview available on mobile devices.
SMS attacks are harder to filter than email because mobile carriers have fewer inspection capabilities than enterprise email gateways.
Instant Messaging
Instant messaging platforms — including workplace tools like Slack and Teams — can deliver malicious links or files. Attackers may compromise legitimate accounts to send convincing messages within trusted channels.
Voice Calls (Vishing)
Vishing uses voice calls to manipulate targets into revealing sensitive information or taking harmful actions. Attackers impersonate IT support, bank representatives, or executives.
Spam over Internet Protocol (SPIT) extends this by using VoIP systems to deliver automated voice spam at scale.
Image-Based and File-Based Vectors
Image-Based Attacks
Malicious code can be embedded within image files through steganography or by exploiting image rendering vulnerabilities. QR codes are also used to direct users to malicious URLs without visible inspection of the destination.
File-Based Attacks
Documents, spreadsheets, PDFs, and compressed archives can carry embedded malware, malicious macros, or exploit code targeting application vulnerabilities. File-based vectors are effective because users routinely open documents as part of normal business operations.
The exam tests whether you understand that file type alone does not determine safety. A PDF or image file can be weaponized just as effectively as an executable.
Physical and Network Vectors
Removable Devices
USB drives, external hard drives, and other removable media can introduce malware directly to systems, bypassing network security entirely. Attacks range from simple malware delivery to sophisticated hardware implants that emulate keyboards and execute commands automatically.
USB drop attacks — leaving infected drives in parking lots or common areas — exploit curiosity and remain a tested scenario on the exam.
Unsecure Networks
Network-based vectors exploit weaknesses in connectivity:
- Wireless — Open or poorly secured Wi-Fi networks expose traffic to interception. Evil twin attacks create convincing fake access points.
- Wired — Unsecured network jacks in public or semi-public areas allow physical access to the internal network.
- Bluetooth — Bluetooth connections can be exploited for unauthorized pairing, data extraction, or malware delivery at close range.
The exam frequently presents scenarios where an employee connects to an untrusted network, and you must identify the resulting risk and appropriate mitigation.
Supply Chain Vectors
Supply chain attacks compromise organizations through trusted third-party relationships. They are particularly dangerous because they bypass direct defenses entirely.
Managed Service Providers (MSPs)
MSPs have privileged access to multiple client environments. Compromising a single MSP can give an attacker access to hundreds of organizations simultaneously. The exam tests whether you recognize MSP compromise as a supply chain risk and understand the importance of third-party risk assessments.
Vendors and Suppliers
Software vendors can unknowingly distribute compromised updates. Hardware suppliers can ship devices with pre-installed malware or backdoors. The SolarWinds attack is the defining example — a legitimate software update distributed malicious code to thousands of organizations.
Key supply chain risks:
- Compromised software updates from trusted vendors
- Pre-installed malware on hardware from untrusted supply chains
- Third-party code libraries with embedded vulnerabilities
- Counterfeit hardware components with hidden backdoors
Attack Surface Management
The attack surface is everything an attacker can potentially target: every open port, every exposed service, every user account, every API endpoint, every physical access point.
Attack surface management is the practice of discovering, cataloging, and reducing these entry points.
Core principles:
- Discovery — You cannot protect what you do not know exists. Asset inventory and network scanning identify exposed surfaces.
- Reduction — Disable unnecessary services, close unused ports, remove default accounts, and decommission legacy systems.
- Monitoring — Continuously watch for new exposures from configuration changes, new deployments, or shadow IT.
- Prioritization — Focus on entry points that are internet-facing, have known vulnerabilities, or provide access to critical assets.
On the exam, attack surface questions test whether you understand that reducing the number of entry points is more effective than trying to defend all of them equally.
Pattern Recognition
When you see a threat vector question, quickly determine:
- How is the attack being delivered? (message, file, network, physical, supply chain)
- What trust relationship is being exploited?
- Which layer of defense should intercept it?
- Is the vector targeting the human or the technology?
Pattern shortcuts:
- Employee clicks a link in a text message = SMS/smishing vector
- Malware arrives through a software update = supply chain vector
- USB drive found in a parking lot = removable device vector
- Attacker on the same Wi-Fi intercepts traffic = unsecure wireless vector
- Caller impersonates IT helpdesk = vishing/voice call vector
Trap Patterns
Watch for these traps:
- Confusing vector with attack type. Phishing is an attack type. Email is the vector. The exam may ask about the vector specifically.
- Assuming supply chain attacks are rare. The exam treats supply chain as a major vector category. Expect questions about vendor risk and third-party access.
- Overlooking Bluetooth. Bluetooth is a tested vector. If a scenario mentions proximity-based unauthorized access, consider Bluetooth exploitation.
- Thinking attack surface is static. Attack surface changes with every new deployment, cloud service, or employee device. The correct answer involves continuous management, not one-time assessment.
Scenario Practice
Question 1
An organization deploys a software update from a trusted vendor. Weeks later, a security team discovers that the update contained a backdoor that allowed attackers to exfiltrate data from their network.
Which threat vector was used in this attack?
Answer & reasoning
Answer: Supply chain vector
The malware was delivered through a trusted vendor's software update, making this a supply chain attack. The organization's own defenses were bypassed because the update came from a legitimate, trusted source.
This is not a file-based or message-based vector because the delivery mechanism was the vendor's official update channel.
Question 2
A user receives a text message claiming their bank account has been locked. The message contains a link to a website that closely resembles the bank's legitimate login page. The user enters their credentials, which are captured by the attacker.
Which threat vector does this scenario PRIMARILY describe?
Answer & reasoning
Answer: SMS (smishing) vector
The attack was delivered via text message, making SMS the primary threat vector. While the attack also involves a fake website, the initial delivery mechanism — and therefore the vector — is SMS.
The exam distinguishes between the vector (how the attack reaches the target) and the technique (what the attack does once delivered).
Question 3
A security assessment reveals that the organization has 47 internet-facing services, but only 12 are required for business operations. The remaining services run on default configurations with default credentials.
What should the security team do FIRST?
Answer & reasoning
Answer: Disable the 35 unnecessary internet-facing services to reduce the attack surface
Attack surface reduction is the priority. Removing unnecessary services eliminates entry points entirely, which is more effective than trying to harden and monitor services that serve no business purpose.
Hardening the default configurations is important but secondary to removing unnecessary exposure.
Key Takeaway
Bottom line: vectors are how attacks arrive, not what attacks do. Keep that distinction clear and the exam questions become straightforward.
Every attack needs a path. Identifying and reducing those paths is the foundation of defensive security.
Supply chain vectors are especially worth studying because they exploit trust in third parties and bypass direct defenses. And remember that attack surface management is a continuous process — the surface changes every time you deploy a new service, onboard a vendor, or add a device. Reducing entry points will always beat trying to defend all of them at once.