Attack Vectors and Attack Surface
Key Takeaways
- An attack vector is a single path to a target; the attack surface is the total set of reachable entry points across systems, identities, and vendors.
- SY0-701 objective 2.2 names message-based, image-based, file-based, voice call, removable device, vulnerable software, unsupported systems, unsecure networks, open service ports, default credentials, and supply chain vectors.
- Reducing attack surface means removing, disabling, hardening, segmenting, or restricting reachability, not just detecting attacks after the fact.
- Credential attacks have distinct fingerprints: spraying (one password, many users), brute force (many passwords, one user), and stuffing (known pairs across sites).
- Internet-facing services, identity providers, and default credentials deserve top priority because compromise spreads quickly.
Vector vs. Surface
An attack vector is the route a threat actor uses to gain access, such as a phishing email or an exposed Remote Desktop Protocol (RDP) port. The attack surface is the sum of all such reachable routes: every exposed service, application programming interface (API), identity, endpoint, vendor connection, and removable-media path. One open admin portal is a vector; all of them together form the surface. SY0-701 objective 2.2 expects you to recognize specific vectors and pick the control that shrinks the surface.
SY0-701 Vector List and Reductions
| Vector | What attackers exploit | Best reduction |
|---|---|---|
| Message-based (email, SMS, IM) | Malicious links, attachments, impersonation | Filtering, DMARC/DKIM/SPF, sandboxing, training |
| Image-based | Malicious code embedded in image files | Content inspection, disable auto-render |
| File-based | Macros, scripts, weaponized documents | Block macros, sandboxing, file-type controls |
| Voice call (vishing) | Phone-based deception | Verification procedures, caller authentication |
| Removable device | Malware, data theft via USB | Disable/control USB, DLP, device control |
| Vulnerable / unsupported software | Unpatched flaws, end-of-life systems | Patch management, replace EOL systems |
| Unsecure networks (wired/wireless/Bluetooth) | Eavesdropping, evil twin, rogue AP | WPA3, 802.1X, segmentation, monitoring |
| Open service ports | Reachable RDP, SSH, database listeners | Close ports, firewall, VPN/ZTNA, MFA |
| Default credentials | Vendor-shipped admin/admin logins | Change on deployment, enforce policy |
| Supply chain | Vendor, MSP, dependency, hardware paths | Due diligence, segmentation, signing |
Attack Surface Questions
When a stem says "reduce the attack surface," the correct answer almost always removes or narrows reachability. Detection-only options (more logging, a SIEM alert, a longer retention window) are distractors because they do not close the path.
| Scenario | Better answer (reduces surface) | Weaker answer (detect only) |
|---|---|---|
| RDP exposed to the internet | Place behind VPN/ZTNA and require MFA | Increase log retention |
| Unused service running on a server | Disable the service | Rename the service |
| Public cloud storage bucket | Block public access, fix the IAM policy | Add a warning banner |
| Developers commit API keys to a repo | Secret scanning and immediate key rotation | Send a policy reminder |
| Flat network allows lateral movement | Segment and restrict east-west traffic | Improve asset inventory only |
| Device ships with default credentials | Change credentials before deployment | Document the default in a wiki |
Credential Attack Fingerprints
SY0-701 distinguishes several password attacks by the ratio of guesses to accounts.
| Clue in the stem | Attack pattern |
|---|---|
| One common password tried against many usernames | Password spraying (evades lockout) |
| Many passwords tried against a single account | Brute force |
| Known username/password pairs replayed across sites | Credential stuffing |
| A captured authentication token reused later | Replay / session hijacking |
| Logins from impossible-travel locations | Stolen credential or hijacked session |
The spraying-versus-brute-force distinction is a frequent exam item: spraying deliberately keeps each account's failure count low to avoid account-lockout thresholds.
Scenario Walkthrough
A company finds an old management interface reachable from the internet. It has not been patched in months and supports only password authentication. The first move is to reduce exposure: remove the internet path, restrict access to an administrative network or a ZTNA/VPN tunnel, patch the service, enable MFA, and then monitor. A SIEM alert is valuable, but by itself it leaves the reachable path open, so it is the weaker choice when the question asks how to reduce the attack surface.
Quick Drill
| Question asks for... | Think... |
|---|---|
| The path used to attack | Attack vector |
| All possible paths | Attack surface |
| Fewer reachable services | Disable, firewall, segment, restrict |
| Fewer credential risks | MFA, breached-password checks, secret management |
| Less lateral movement | Segmentation and least privilege |
| One password, many accounts | Password spraying |
Prioritizing the Surface
Not every entry point carries equal weight, and SY0-701 expects you to reason about priority. Internet-facing assets are the highest concern because they can be reached by anyone on earth without any prior foothold; an exposed RDP port or an unpatched VPN appliance is a direct line in. Identity providers and directory services rank next, because compromising the system that issues credentials and tokens can unlock every downstream application at once.
Default credentials are a deceptively large part of the surface: network appliances, cameras, printers, and Internet of Things (IoT) devices that ship with vendor-known logins are scanned for constantly, so changing them before deployment is one of the cheapest, highest-impact reductions available.
Legacy and unsupported software widen the surface in a way patching cannot fix, because end-of-life products no longer receive security updates at all. The exam answer for an unsupported operating system is usually to isolate it on a segmented network, wrap it in compensating controls, and plan its replacement, not merely to scan it. Removable media and Bluetooth round out the picture as physical-adjacent vectors that bypass perimeter firewalls entirely, which is why USB device control and data loss prevention (DLP) appear so often as the right answer.
The unifying principle is reachability. Every control that earns the point in an attack-surface question does one of five things: it removes the asset, disables the unneeded function, hardens the configuration, segments the network so a breach cannot spread, or restricts who may reach the path. Detection layered on top is good defense in depth, but on its own it never shrinks the surface, and the exam consistently rewards the option that closes the door over the option that merely watches it.
A scan finds an unused database listener exposed to the internet. Which action most directly reduces the attack surface?
Attackers try one common password against hundreds of usernames specifically to stay under the account-lockout threshold. What is this technique called?
Which actions reduce attack surface rather than merely detect attacks? Choose two.
Select all that apply