Apr 15, 2026
Security+ Attack Types and Defenses: Malware, Social Engineering, and Network Attacks (SY0-701 Study Guide)
Attack types are not just a memorization section on Security+. They are the quickest way to prove you can think like a defender: identify what is happening, what control would have stopped it, and what to do next. That is exactly how SOC and help desk escalation works in real life.
This post gives you a repeatable study method for Security+ SY0-701: map every attack to (1) entry point, (2) impact, (3) best defenses, and (4) fastest confirmation steps.
Security+ SY0-701 exam context (why you should study attacks as a system)
Security+ questions rarely ask “What is ransomware?” in isolation. More common is:
A short scenario (email, endpoint behavior, weird network traffic)
A constraint (no downtime, remote workforce, cloud app)
A best next step or best control
Here are the SY0-701 basics you should know cold:
Exam | Max questions | Time limit | Passing score | Typical U.S. voucher price |
|---|---|---|---|---|
CompTIA Security+ (SY0-701) | 90 | 90 minutes | 750 (100-900 scale) | $392 |
Study implication: you have about 1 minute per question. You do not have time to “think from scratch.” Your goal is fast pattern recognition.
The 4-part mapping method (use this for every attack)
For each attack type you study, write a 4-line “attack card” in your notes:
Entry point - How it gets in (email, RDP, USB, exposed service, misconfig).
What it changes - Confidentiality, integrity, availability, or authentication.
Best defenses - Prevent, detect, respond (in that order).
Fast confirmation - One log or artifact that proves it (EDR alert, DNS logs, proxy logs, auth logs, NetFlow).
If you can do these four things, you can answer most scenario questions even when the wording is unfamiliar.
Malware: know the behavior, not the definition
Malware questions often hinge on symptoms and blast radius. Focus on what the malware is trying to achieve.
Malware quick map (what Security+ expects)
Malware type | What it tries to do | Common entry point | Best preventive controls | Best detection clues |
|---|---|---|---|---|
Ransomware | Encrypt data, extort | Phishing attachment, exploit, RDP reuse | Offline/immutable backups, patching, least privilege, EDR | Sudden file renames, mass file writes, shadow copy deletion attempts |
Trojan | Pretend to be legit to run payload | User installs “utility,” cracked software | Application allowlisting, least privilege, user training | New unsigned binaries, suspicious persistence (Run keys, scheduled tasks) |
Worm | Self-propagate across network | Unpatched service, weak segmentation | Patch management, segmentation, host firewall | Lateral movement spikes, SMB/445 scanning, abnormal east-west traffic |
Spyware/Keylogger | Steal credentials/data | Bundled installers, drive-by | EDR, browser hardening, least privilege | Browser credential access, unusual outbound to C2 |
Rootkit | Hide itself, maintain control | Post-exploit privilege escalation | Secure boot, patching, EDR | Kernel anomalies, hidden processes, integrity check failures |
How to answer malware defenses questions faster
Use this order of operations:
Stop spread first (containment): isolate host, disable account, block hash/domain.
Preserve evidence if asked (IR): snapshot, collect volatile data, do not reboot unless directed.
Eradicate and recover: reimage, restore from known-good backups, rotate credentials.
Close the door: patch, remove exposed services, enforce MFA, tighten permissions.
If a question asks for the best prevention against ransomware, “pay the ransom” and “run antivirus” are traps. Look for backups + least privilege + patching + segmentation.
Mini-lab you can do in 20 minutes (study routine)
Create a “malware symptom to control” drill:
Make two columns in your notes: symptom and best control.
Add 10 symptoms (example: “multiple failed logons then success” or “sudden DNS to random domains”).
For each, force yourself to pick one best control and one best log source.
This builds the muscle Security+ tests: choose the best answer, not all possible answers.
Social engineering: learn the pretext, the tell, and the control
Social engineering is tested as psychology plus process. The best defenses are often procedural: verification steps, MFA, and least privilege.
Core social engineering patterns
Attack | What the attacker wants | The “tell” in the scenario | Best defenses that typically test well |
|---|---|---|---|
Phishing | Credentials or malware execution | Generic message, urgency, link to login page | MFA, email filtering, user training, URL rewriting/sandboxing |
Spear phishing | Same as phishing but targeted | Correct names, org context, recent events | MFA, out-of-band verification, DMARC/DKIM/SPF, training |
Whaling | Target execs for wire transfers or access | CEO/CFO context, payment urgency | Dual approval for payments, verification procedures, phishing-resistant MFA |
Vishing | Phone-based credential capture | Caller pressure, spoofed caller ID | Call-back policy, help desk verification, awareness training |
Smishing | SMS-based phishing | Short links, “package delivery,” bank alert | Mobile link filtering, user training, MFA |
Pretexting | Build a story to get access | Detailed role-play, “I’m new, need help now” | Verification scripts, least privilege, separation of duties |
Baiting | Curiosity to trigger action | “Free” USB, download, gift card | USB control policies, disable autorun, training |
Tailgating/Piggybacking | Physical access | Someone follows through secure door | Badge enforcement, mantrap, security awareness |
Security+ answer shortcut: match control type to the attack
If the attack is about credentials, the best answer is usually MFA (or phishing-resistant MFA) plus verification.
If the attack is about money transfer, the best answer is usually process control (dual approval, out-of-band verification).
If the attack is about physical entry, look for badge access controls and security guards/mantraps.
Drill: convert every social engineering story into a policy
Take 5 scenarios (make them up or use practice questions). For each, write a one-sentence policy:
“Help desk must verify identity using two factors before password reset.”
“Finance must confirm wire requests using a known phone number, not email reply.”
This helps you pick the best “administrative control” answers quickly.
Network attacks: think in terms of where the attack lives (L2, L3, L7)
Network attacks show up as:
Protocol abuse (ARP, DNS)
Traffic manipulation (MITM)
Service disruption (DoS/DDoS)
Credential attacks against exposed services
Network attack-to-defense cheat sheet
Attack | Layer / focus | What you see | Best defenses |
|---|---|---|---|
DoS/DDoS | Availability | Service slow/down, high traffic, many sources | Rate limiting, WAF/CDN, DDoS scrubbing, autoscaling, ACLs |
MITM | Confidentiality/integrity | Unexpected cert warnings, rogue Wi-Fi, suspicious proxying | TLS everywhere, cert pinning where applicable, VPN, secure Wi-Fi (WPA3/802.1X) |
DNS poisoning | Name resolution | Users redirected, wrong IPs for known domains | DNSSEC validation, secure resolvers, restrict zone transfers, monitor DNS logs |
ARP spoofing | Local LAN | Intermittent connectivity, gateway MAC changes | Dynamic ARP inspection, static ARP for critical, VLAN segmentation |
Rogue AP / Evil twin | Wireless | “CompanyGuest” duplicates, captive portal mimic | WPA3-Enterprise/802.1X, wireless IDS, user training |
Password spraying | Auth | Many accounts, few attempts each | MFA, lockout thresholds tuned, conditional access, monitor auth logs |
Brute force | Auth | Many attempts on one account | MFA, lockout, rate limiting, disable exposed admin portals |
Session hijacking | Web auth | User reports account actions they did not do | HTTPS, secure cookies, short session TTL, re-auth for risky actions |
How to avoid the most common network attack study mistake
Do not memorize “ARP spoofing = MITM” and stop there. Security+ usually asks:
Where is it happening? (local LAN vs internet)
Which control actually stops it? (DAI for ARP spoofing is far better than “install antivirus”)
A practical way to lock this in is to always add “scope” to your notes:
ARP spoofing: local subnet problem
DNS poisoning: resolver/cache problem
DDoS: edge/internet-facing problem
A 7-day attack-types study plan (30 to 45 minutes/day)
This schedule is built to force recall and scenario thinking.
Day | Focus | What to do | Output you should produce |
|---|---|---|---|
1 | Malware fundamentals | Create 8 attack cards (ransomware, trojan, worm, rootkit, spyware, botnet, logic bomb, fileless) | 1-page malware map |
2 | Malware defenses | For each malware card, add 2 prevent + 1 detect control | Control checklist |
3 | Social engineering | Create 10 micro-scenarios (2 lines each) and label the attack | Scenario bank |
4 | Social engineering defenses | Turn each scenario into a policy and a technical control | Policy statements |
5 | Network attacks | Make a layer-based list (L2, L3, L7) and place attacks in it | Layer map |
6 | Mixed practice | Do 40 to 60 practice questions only on attacks/defenses | Review notes of misses |
7 | Exam simulation | Timed set: 30 questions in 30 minutes. Focus on choosing best control | Weak-area list |
Rule: every missed question becomes a new attack card or updates an existing one. That is how you stop repeating the same mistakes.
The “best answer” filters Security+ uses (apply these when stuck)
When two answers seem right, apply these filters:
Least privilege beats broad access (reduce blast radius).
Prevent beats detect (unless the question asks for detection or investigation).
Compensating controls matter when constraints exist (legacy system, cannot patch, remote users).
Most specific control wins (DAI beats “switch security,” WAF beats “firewall” for web attacks).
MFA is a top-tier answer for credential attacks, but not for malware already executing.
FAQ
What attack types show up the most on Security+?
The exam mixes them, but you should expect repeated scenario coverage of phishing and credential attacks, common malware behaviors (especially ransomware), and network disruption or interception patterns (DDoS, MITM-style scenarios).
How detailed do I need to be about tools (EDR, SIEM, IDS/IPS, WAF)?
Detailed enough to pick the best control in a scenario. You should know what each tool is best at: EDR for endpoints, SIEM for log correlation, IDS/IPS for network detection/prevention, WAF for web app filtering, and DLP for data movement controls.
How do I study social engineering if I do not have job experience?
Build a scenario bank and write the one-sentence policy response. Security+ rewards process thinking: verification, separation of duties, least privilege, and MFA.
What is the fastest way to improve my score on attack questions?
Stop rereading definitions and start drilling “symptom to control.” Every practice question should end with you writing: entry point, impact, best prevention, best log.
How should I handle PBQ-style attack questions?
Treat them like incident response: identify the attack, contain first, then eradicate, then recover, then harden. If the PBQ includes logs or CLI output, look for the single strongest indicator (suspicious DNS, repeated auth failures, unusual ports, unexpected cert behavior).
Put this into practice with targeted Security+ drills
If you want the fastest improvement on malware, social engineering, and network attack scenarios, do timed topic sets and force yourself to explain why each wrong option is wrong.
Start practicing today at study.cyberexamprep.com with unlimited questions across all CompTIA exams.
