Security+ domain 2: Understanding threats, vulnerabilities and mitigations (701 exam update)
CompTIA's Security+ certification has long been a cornerstone for IT professionals looking to prove their cybersecurity skills. But cybersecurity never stands still. Threats evolve, defenses adapt and best practices shift. That's why CompTIA gives Security+ a makeover every three years or so. It's how they ensure the exam stays fresh and relevant in this changing tech landscape.
The latest version of the Security+ exam, SY0-701, was introduced in November 2023, and the previous version, SY0-601, was retired on July 31, 2024. In this blog post, we'll dive into domain 2 of the exam, which has been reorganized and updated for the new version. We will explore the specific changes and how they impact the exam and provide an overview of the key concepts to master to succeed.
What's changed in Security+ domain 2?
Domain 2 has undergone a significant transformation. Exam SY0-601 covered architecture and design, but that has changed. "Domain two, threats, vulnerabilities and mitigations, is essentially learning about the different threats, vulnerabilities and mitigations you'll be up against,” said Patrick Lane, CompTIA's Product Manager for Security+, in a recent Infosec CompTIA Security+ update webinar. “There's a lot of new ones, and you've got to be familiar with them,"
Here's a breakdown of these changes and how this domain stacks up against the old exam:
- 2.1 Compare and contrast common threat actors and motivations: This objective dives into understanding the "who" and "why" behind cyberattacks. This overlaps with the old 1.5 objective but focuses on recognizing specific threat actors and their motivations.
- 2.2 Explain common threat vectors and attack surfaces: This objective tackles how attackers get in — the tricks they use and the weak spots they exploit. This new objective also takes from the older 1.5 objective but focuses on the tactics attackers use.
- 2.3 Explain various types of vulnerabilities: This objective explores the weaknesses that attackers can leverage. It builds upon objective 1.6 from the 601 exam by going beyond just recognizing vulnerabilities to understanding the different types.
- 2.4 Given a scenario, analyze indicators of malicious activity: Here you learn about identifying the digital footprints that malicious actors leave behind. This new objective merges elements from the old objectives 1.2 (analyzing potential indicators), 1.3 (applications attacks) and 1.4 (network attacks) but with a stronger focus on analyzing scenarios.
- 2.5 Explain the purpose of mitigation techniques used to secure the enterprise: This objective equips you with the different strategies you can use to defend against threats. It incorporates elements from the old objectives 4.4 (applying mitigation techniques), 3.1 (secure protocols), 3.2 (host/application security), 3.3 (secure network design), 3.4 (wireless security) and 3.5 (mobile security) but with a shift in focus towards understanding the purpose of these techniques rather than just implementing them.
Now let’s explore each objective in detail.
Watch the full Security+ webinar with CompTIA to learn more.
2.1: Threat actors and motivations
The ability to "compare and contrast common threat actors and motivations" is a very important part of effective cybersecurity. As Lane points out in the webinar, knowing "who threat actors are, who are the people that are attacking you" is crucial for developing robust defense strategies.
This objective goes deeper than simply identifying different types of attackers. It challenges you to understand the nuances between various threat actors, from nation-states with vast resources to unskilled attackers looking for easy targets. You'll need to grasp how an inside threat differs from an organized crime, or how hacktivists operate compared to shadow IT.
You'll also explore the diverse motivations driving these actors. Whether it's financial gain, espionage or simply causing chaos, understanding these motivations helps predict attack patterns and prioritize defenses. This knowledge allows professionals to anticipate threats and tailor their strategies accordingly. In cybersecurity, knowing your enemy is often the key to staying one step ahead.
2.2: Threat vectors and attack surfaces
The objective “explain common threat vectors and attack surfaces" is the focus of this subdomain. As Lane emphasized in the webinar, you need to be familiar with how attackers can target your systems, including "a lot of new ones."
This objective covers a wide range of potential entry points, from message-based threats like phishing emails and SMS attacks to vulnerabilities in your supply chain. Knowing their names and definitions is not enough. You must understand how these vectors interconnect and evolve. For instance, a simple phishing email could lead to a complex business email compromise.
Security professionals need this knowledge to build comprehensive defense strategies. By understanding the full spectrum of threat vectors, from unsecured networks to social engineering tactics like pretexting, you can better anticipate and mitigate potential attacks. This objective prepares you to think holistically about security, considering both technical vulnerabilities and human factors. Your defense is only as strong as your understanding of potential attack routes.
2.3: Types of vulnerabilities
Not all vulnerabilities are the same, and this objective, "explain various types of vulnerabilities," digs into the different types of weaknesses in a system that attackers can exploit. As Lane noted, new vulnerabilities and new ways to exploit them are a given in cybersecurity and you must be ready to handle them as a security professional.
This objective covers a broad spectrum of vulnerabilities, from application-level issues like buffer overflows and SQL injections to hardware vulnerabilities and cloud-specific risks. Here, you'll not only learn the names of these vulnerabilities but how they can be exploited and more importantly how they relate to each other.
For example, a seemingly minor misconfiguration could lead to a major breach if combined with a zero-day exploit. This type of comprehensive understanding allows security professionals to effectively prioritize threats and allocate resources. When you master this objective, you'll be able to identify potential weak points in your systems, understand the implications of emerging threats and develop more robust security strategies.
2.4: Analyze indicators of malicious activity
This objective, "given a scenario, analyze indicators of malicious activity," dives into practical skills you need to detect suspicious activity on a system. Understanding "how bad actors are going to attack" is a top skill for any cybersecurity professional, according to Lane, because it enables them to identify and respond to potential threats before they cause harm.
This objective will teach you to understand the tactics, techniques and procedures (TTPs) used by threat actors, as well as the indicators of compromise (IOCs) that can help you detect and prevent attacks. You'll become familiar with a wide range of threats, including malware attacks, ransomware, Trojans and rootkits. You'll also learn about physical attacks, such as brute force and RFID cloning, as well as network attacks like DDoS.
Understanding the indicators of these attacks allows you to implement proactive measures, as Lane suggests when he mentions using playbooks to "protect yourself before you've even been attacked." Studying for this objective will enhance your ability to interpret security data, recognize attack patterns and make informed decisions in high-pressure situations.
2.5: Mitigation techniques
Knowing how to defend your systems is just as critical as understanding the threats. The last objective covers how to identify malicious activity and this one will have you "explain the purpose of mitigation techniques used to secure the enterprise."
This objective focuses on the tools and strategies you can use to counter cyberattacks. You'll learn how access controls, like permissions and whitelisting, and restrict unauthorized access while encryption scrambles data to make it unreadable in case of a breach. The key here is not only knowing how to implement specific security measures (applying a patch) but also understanding the purpose behind these measures (patching fixes vulnerabilities).
This subdomain will give you a deeper understanding of mitigation techniques. You'll be able to choose the most appropriate techniques for different situations and create a layered defense against known and emerging cyber threats.
Preparing for your Security+ exam
Studying for the Security+ domain 2 is a major step towards passing the entire exam. This domain accounts for 22% of the exam and covers threats, vulnerabilities and mitigations. Here you learned about the reasons for, and tactics used, in cyberattacks and how to detect, prevent and mitigate them.
But don't forget about the other four domains in the exam, including:
- Domain 1: General Security Concepts
- Domain 3: Security Architecture
- Domain 4: Security Operations
- Domain 5: Security Program Management and Oversight
Want to know even more about the Security+ exam? Check out these resources:
- Dive deeper into the changes in the Security+ exam with our free webinar, CompTIA Security+: Everything you need to know about the SY0-701 update.
- Get a comprehensive overview of the Security+ objective updates in our free ebook, CompTIA Security+ 701: How the world's most popular cert is changing in 2024 (and how it affects you).
- Examine a multitude of resources, including in-depth articles on Security+ topics at our Security+ certification hub