Security+ Study GuideCompTIA Security+ SY0-701

Threat Intelligence and Attack Frameworks for Security+ SY0-701

MITRE ATT&CK, Cyber Kill Chain, OSINT, IOCs, and threat actor categories — exactly what Security+ SY0-701 tests and how to remember the differences.

5 min read
6 sections
Courseiva Study Hub
JA

Reviewed by Johnson Ajibi, MSc IT Security

12+ years in network and security engineering · Founder, JTNetSolutions Limited & Courseiva

Quick answer

MITRE ATT&CK, Cyber Kill Chain, OSINT, IOCs, and threat actor categories — exactly what Security+ SY0-701 tests and how to remember the differences.

Threat Intelligence and Attack Frameworks for Security+ SY0-701

Threat intelligence and attack frameworks are core topics on the CompTIA Security+ SY0-701 exam. You need to understand how threat data is collected, analyzed, and applied to defend networks, and how frameworks like the Cyber Kill Chain and MITRE ATT&CK help security professionals anticipate and respond to attacks. This post breaks down exactly what you need to know, with the technical details and exam tips that will help you pass.

Threat Intelligence Types and Sources

Threat intelligence is evidence-based knowledge about existing or emerging threats. The exam distinguishes four types:

  • Strategic Intelligence: High-level, non-technical information for executives (e.g., reports on nation-state targeting financial sectors).
  • Operational Intelligence: Details about specific attacks, including tactics, techniques, and procedures (TTPs).
  • Tactical Intelligence: Technical indicators like IP addresses, domain names, and file hashes (IOCs).
  • Technical Intelligence: In-depth technical data, such as malware code analysis or exploit details.

Key sources include:

  • OSINT (Open-Source Intelligence): Publicly available data from Shodan, VirusTotal, CVE databases, social media, and paste sites.
  • ISACs (Information Sharing and Analysis Centers): Sector-specific threat sharing (e.g., FS-ISAC for finance).
  • Commercial Feeds: Paid services from vendors like Recorded Future, CrowdStrike, or Mandiant.
  • Closed-Source Intelligence: Proprietary data from internal sensors, honeypots, or partnerships.

Exam Tip: You must know that OSINT is free and open; commercial feeds are paid but often more curated. Tactical intelligence is what you use in firewalls and IDS/IPS.

Indicators of Compromise (IOCs)

IOCs are forensic evidence that a system has been breached. Common IOCs include:

  • File hashes (MD5, SHA1, SHA256): Used to identify known malware.
  • IP addresses: Command-and-control (C2) servers or scanning sources.
  • Domain names: Malicious domains often using DGA (Domain Generation Algorithm).
  • URLs: Phishing links or exploit payloads.
  • Registry keys: Persistence mechanisms like HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
  • Network signatures: Specific patterns in traffic, e.g., unusual DNS queries or HTTP user-agent strings.

Example: A Windows system exhibits a suspicious registry key HKLM\...\Run\svchost pointing to C:\Windows\Tasks\svchost.exe. The file hash is a1b2c3.... These are IOCs that indicate malware persistence.

Threat Actor Categories

The exam expects you to differentiate threat actors by motivation and capability:

  • APT (Advanced Persistent Threat): Nation-state sponsored, highly skilled, long-term campaigns. Example: APT28 (Fancy Bear) targeting government networks.
  • Insider Threat: Current or former employees with authorized access. Can be malicious (data theft) or accidental (phishing victim).
  • Hacktivist: Politically motivated, uses DDoS or defacement. Example: Anonymous.
  • Script Kiddie: Low-skill, uses pre-made tools. Example: Using Metasploit without understanding it.
  • Organized Crime: Financially motivated, runs ransomware or credential theft. Example: REvil ransomware group.
  • Shadow IT: Employees using unauthorized devices or cloud services, creating risk.

Exam Tip: APT is always state-sponsored and stealthy; hacktivists want visibility; organized crime wants money.

Attack Frameworks

Cyber Kill Chain

Developed by Lockheed Martin, it describes seven stages of a cyberattack:

  1. Reconnaissance: Scanning (nmap -sS 192.168.1.0/24) or OSINT gathering.
  2. Weaponization: Pairing exploit with backdoor (e.g., creating a malicious PDF).
  3. Delivery: Sending via email (phishing) or USB drop.
  4. Exploitation: Triggering the exploit (e.g., CVE-2023-XXXX).
  5. Installation: Installing malware (e.g., a remote access Trojan).
  6. Command & Control (C2): Establishing outbound connection to C2 server (e.g., DNS tunneling on UDP 53).
  7. Actions on Objectives: Data exfiltration (FTP on TCP 21) or encryption (ransomware).

Example: An attacker uses Shodan to find exposed RDP (TCP 3389), then sends a spear-phishing email with a malicious macro. Once executed, the macro downloads a PowerShell script that connects to evil.com on port 443 (HTTPS). The attacker then exfiltrates database backups via SFTP.

MITRE ATT&CK

A knowledge base of adversary TTPs, organized into tactics (like Initial Access, Execution, Persistence) and techniques (e.g., T1566 Phishing, T1059 Command and Scripting Interpreter). Unlike the linear Cyber Kill Chain, ATT&CK is a matrix that shows multiple ways to achieve each tactic.

Example: For Persistence, techniques include T1136 Create Account, T1098 Account Manipulation, and T1547 Boot or Logon Autostart Execution (e.g., adding a run key).

Exam Tip: Know that the Cyber Kill Chain is linear and focuses on the attack lifecycle; MITRE ATT&CK is more detailed and used for gap analysis and detection engineering.

What to Watch for on the Exam

  • Scenario-based questions: You'll be given a scenario and asked which threat actor is most likely (e.g., a sophisticated attack on a defense contractor → APT).
  • IOC identification: Given a list, pick the IOC (e.g., a suspicious domain is an IOC, not a vulnerability).
  • Framework stages: You may need to identify which stage of the Cyber Kill Chain a specific action belongs to (e.g., scanning is Reconnaissance).
  • MITRE ATT&CK mapping: Match a technique to its tactic (e.g., T1047 Windows Management Instrumentation is Execution).
  • Intelligence types: Differentiate strategic vs. tactical (e.g., a report on rising ransomware trends is strategic; a list of malicious IPs is tactical).

Memory Aid: For Cyber Kill Chain, remember "RWDEIC A" (Recon, Weaponize, Deliver, Exploit, Install, C2, Actions). For threat actors, think "Nation-state = APT, Money = Organized Crime, Politics = Hacktivist."

Conclusion

Mastering threat intelligence and attack frameworks is essential for the Security+ SY0-701 exam. Focus on the differences between intelligence types, the structure of the Cyber Kill Chain and MITRE ATT&CK, and how IOCs are used in detection. Practice identifying threat actors from scenario descriptions and mapping actions to framework stages.

To reinforce these concepts, try our free practice questions covering threat intelligence, IOCs, and attack frameworks at [link to practice questions]. Good luck!

Practise Security+ questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

Courseiva provides free IT certification practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics. Explore related practice questions for Cisco, CompTIA, Microsoft Azure, AWS, and other certification exams.