Domain 2 – Section A Review: Threat Landscape

Security+ Domain 2 — Threats, Vulnerabilities, and Mitigations Section A — Threat Landscape Review 10 Questions

This section integrates:

Threat Actors and Motivations
Threat Vectors and Attack Surfaces
Social Engineering Techniques

Security+ expects you to identify the type of threat, the vector used, and the social engineering technique applied in real-world scenarios.

1. Threat Actor Identification

Every attack has an actor with specific attributes:

Motivation tells you why. Sophistication tells you how. Resources tell you how long they can persist.

Nation-state actors: highly funded, persistent, target critical infrastructure and intellectual property.
Organized crime: financially motivated, use ransomware and fraud schemes.
Hacktivists: ideologically motivated, target reputation and public-facing systems.
Insider threats: authorized access, motivated by grievance, financial gain, or negligence.
Script kiddies: low sophistication, use publicly available tools.

When a question describes an attack, match the behavior to the actor profile. Sophisticated, long-duration attacks with custom tools suggest nation-state. Opportunistic, automated attacks suggest unskilled actors.

2. Threat Vectors and Attack Surfaces

Threat vectors are the paths attackers use to reach their target:

Email — phishing, malicious attachments, business email compromise.
Web — drive-by downloads, watering hole attacks, malicious URLs.
Removable media — USB drops, infected devices.
Supply chain — compromised vendors, tainted software updates.
Wireless — evil twin, rogue access points, Bluetooth attacks.

The attack surface is everything an attacker can target.
Reducing the attack surface reduces opportunity.

Supply chain attacks are especially dangerous because they exploit trust relationships with legitimate vendors.

3. Social Engineering Recognition

Social engineering exploits human behavior rather than technical vulnerabilities:

Phishing — broad-based deceptive emails.
Spear phishing — targeted at specific individuals.
Whaling — targeting executives.
Vishing — voice-based phishing.
Smishing — SMS-based phishing.
Pretexting — creating a fabricated scenario to gain trust.
Tailgating/piggybacking — physical access through social manipulation.

Social engineering targets the human, not the system.
The best technical controls fail when people are the vulnerability.

Section A Decision Pattern

When unsure in Domain 2 Section A:

Identify the threat actor by motivation and capability.
Determine the vector — how did the attacker reach the target?
Classify the social engineering technique by its delivery method.
Match the defense to the specific vector, not just the general threat.
Remember: insider threats have authorized access by definition.

Section A – Practice Questions

Question 1

A targeted email impersonating the CEO asks the CFO to approve an urgent wire transfer to a new vendor. What type of social engineering attack is this?

A. Whaling
B. Spear phishing
C. Phishing
D. Vishing

Answer & reasoning

Correct: A

This is whaling because it specifically targets a high-level executive (CFO) using a pretext involving another executive (CEO). While it is also spear phishing, whaling is the more specific classification when executives are the targets.

Question 2

An organization discovers that a recently installed network monitoring tool from a trusted vendor contained a backdoor. What type of threat vector was exploited?

A. Email vector
B. Removable media
C. Wireless
D. Supply chain

Answer & reasoning

Correct: D

A supply chain attack occurs when a trusted vendor's product is compromised before delivery. The backdoor was embedded in a legitimate tool, exploiting the trust relationship between the organization and its vendor.

Question 3

A security team observes a persistent, multi-month intrusion using custom malware that targets proprietary engineering data. Which threat actor is MOST likely responsible?

A. Script kiddie
B. Hacktivist
C. Nation-state
D. Insider threat

Answer & reasoning

Correct: C

The combination of persistence (multi-month), sophistication (custom malware), and target (intellectual property) strongly indicates a nation-state actor. Script kiddies lack the capability, hacktivists typically seek publicity, and insider threats do not normally use custom malware.

Question 4

An attacker leaves infected USB drives in the parking lot of a defense contractor. An employee picks one up and plugs it into a workstation. What threat vector was used?

A. Social engineering via pretexting
B. Removable media
C. Supply chain compromise
D. Watering hole attack

Answer & reasoning

Correct: B

The threat vector is removable media. The USB drive is the delivery mechanism. While social engineering (curiosity) played a role in the employee's behavior, the technical vector is the removable media itself.

Question 5

A disgruntled employee with database administrator privileges exports customer records to a personal cloud storage account before their last day. How should this threat actor be classified?

A. Nation-state
B. Organized crime
C. Hacktivist
D. Insider threat

Answer & reasoning

Correct: D

This is an insider threat. The employee has authorized access (database administrator privileges) and is motivated by grievance. Insider threats are uniquely dangerous because they already have legitimate access to systems and data.

Question 6

An attacker researches a company's IT staff on social media, then calls the help desk pretending to be a new network engineer who needs VPN credentials. What technique is being used?

A. Phishing
B. Pretexting
C. Tailgating
D. Smishing

Answer & reasoning

Correct: B

Pretexting involves creating a fabricated scenario (posing as a new engineer) to manipulate someone into providing information or access. The attacker built a believable identity using social media reconnaissance. This is voice-based, but the core technique is pretexting, not just vishing.

Question 7

Attackers compromise a popular industry forum frequently visited by employees of a specific financial firm. When employees visit the site, malware is silently downloaded. What type of attack is this?

A. Watering hole
B. Drive-by download
C. Spear phishing
D. Pharming

Answer & reasoning

Correct: A

A watering hole attack compromises a website frequently visited by the target group. The attacker does not contact victims directly — they infect a trusted site and wait for victims to visit. While drive-by download describes the technical mechanism, watering hole describes the strategic approach.

Question 8

An employee receives a text message claiming their corporate account will be locked unless they verify their credentials through a provided link. What type of attack is this?

A. Vishing
B. Phishing
C. Smishing
D. Whaling

Answer & reasoning

Correct: C

Smishing is phishing conducted via SMS text messages. The urgency and credential harvesting are hallmarks of phishing, but the delivery method (text message) makes this specifically smishing.

Question 9

A group claims responsibility for defacing a government agency's website to protest environmental policies. Which threat actor category BEST describes this group?

A. Hacktivist
B. Organized crime
C. Nation-state
D. Script kiddie

Answer & reasoning

Correct: A

Hacktivists are motivated by ideology or political causes. They publicly claim attacks and target organizations whose policies they oppose. Website defacement for political protest is a classic hacktivist behavior.

Question 10

An attacker follows an authorized employee through a secured door by carrying a large box and asking the employee to hold the door. What social engineering technique is this?

A. Pretexting
B. Shoulder surfing
C. Tailgating
D. Impersonation

Answer & reasoning

Correct: C

Tailgating (or piggybacking) is gaining physical access by following an authorized person through a secured entrance. The attacker exploits social courtesy — the employee holds the door because the attacker appears to have their hands full.