Indicators of Malicious Activity
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing CompTIA Security+ premium course — no separate purchase.
Included in this chapter:
- Password and identity indicators: spraying vs. brute force
- Network and application attack indicators
- Cryptographic and physical attack indicators
- Reading the evidence trail: log and intel indicators
Reading the indicator: symptom to most-likely attack
| Observed indicator | Most-likely attack | Attack family | Why it fits |
|---|---|---|---|
| Failed logins across many accounts | Password spraying | Password | One common password per account stays under lockout thresholds |
| Repeated failures then account lockout | Brute force | Password | Exhaustive guessing against a single target trips the lockout policy |
| Impossible travel / concurrent sessions | Credential theft or replay | Network / identity | One credential used from two places at once means it was stolen or replayed |
| Resource consumption + inaccessibility | Amplified/reflected DDoS | Network | Exhausting CPU/bandwidth makes the service time out for legitimate users |
| DB errors or data leak from web input | Injection | Application | Untrusted input is executed as code or a query by the application |
| Web request reading unexpected files | Directory traversal | Application | ../ sequences escape the web root to reach the filesystem |
| Forged request from an authenticated user | CSRF / SSRF | Application | The victim's browser or server is tricked into making an unintended request |
| Cipher silently negotiated weaker | Downgrade | Cryptographic | Forcing an older protocol/cipher enables a known break |
| Two inputs share one hash digest | Collision / birthday | Cryptographic | Finding any colliding pair forges integrity or signatures |
| Audit records gone / out-of-cycle logging | Anti-forensics / tampering | Indicator | Missing or off-schedule logs suggest an attacker cleared their tracks |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
References
- CompTIA Security+ (SY0-701) certification
- Password cracking (CSRC glossary)
- Denial of service (CSRC glossary)
- Man-in-the-middle attack (CSRC glossary)
- SQL injection (CSRC glossary)
- NIST SP 800-107 Rev. 1: Recommendation for Applications Using Approved Hash Algorithms Whitepaper
- Audit record (CSRC glossary)
- NIST SP 800-92: Guide to Computer Security Log Management Whitepaper