300-220 Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD Questions and Answers

The correct answer isCollect and process intelligence and data. In this scenario, theinitial threat hunting phaseoccurred when the SOC team received the alert and began analyzing SIEM logs to validate whether the activity was legitimate or malicious. This aligns directly with the first phase of the threat hunting lifecycle, which focuses on gathering, normalizing, and analyzing security-relevant data.

Threat hunting is a structured, hypothesis-driven process, but it always begins withdata collection and intelligence processing. This includes ingesting logs from identity providers, authentication systems, cloud platforms, VPNs, and endpoint telemetry into a SIEM. In this case, the alert regarding a sign-in from an unusual country triggered analysts to examine historical login patterns and geolocation data. By confirming that the user had never authenticated from that country, the team established that the event was anomalous and likely malicious.

Option B (Response and resolution) occurredafterthe initial phase, when the IT administrator reset the user’s password to contain the threat. Option C (Hypothesis) would involve formulating a theory such as “the account may be compromised due to credential theft,” but this step requires validated data first. Option D (Post-incident review) only happens after the incident has been fully resolved and lessons learned are documented.

From a professional cybersecurity operations perspective, this phase is critical becausehigh-quality data determines hunt effectiveness. Poor log coverage or incomplete identity telemetry would prevent analysts from confidently confirming the anomaly. This example also highlights why identity-related telemetry is foundational to modern threat hunting—compromised credentials remain one of the most common initial access vectors.

In short, before a SOC can hypothesize, respond, or improve controls, it must firstcollect and process accurate intelligence and data, making option A the correct answer.

The correct answer isConnection status. In this scenario, the key challenge for the security team is differentiatinglegitimate outbound trafficfrommalicious or DDoS-related trafficoriginating from the same web server. Since both types of traffic coexist in the logs, analysts must rely on an attribute that meaningfully distinguishes normal behavior from abnormal patterns.

The exhibit shows numerous TCP connections from the web server to many different external IP addresses, with varyingTCP statessuch as ESTABLISHED, TIME_WAIT, and FIN_WAIT. These connection states are highly valuable for threat hunting and network analysis. During DDoS activity—especially reflected or amplification-style attacks, or when a server is abused as part of an attack—connections often remain half-open, rapidly transition to TIME_WAIT, or fail to fully establish. In contrast, legitimate web traffic typically results in stable, short-lived ESTABLISHED sessions that follow predictable patterns.

Option B (destination port) is not useful here because most web traffic—both legitimate and malicious—commonly uses ports 80 or 443. Option C (IP address of the web server) provides no filtering value because all traffic already originates from that server. Option D (protocol) is also ineffective, as both normal and DDoS traffic in this case use TCP.

From a professional SOC and threat hunting standpoint,connection state analysisis a foundational technique for detecting volumetric attacks, beaconing behavior, and abnormal session churn. By filtering logs based on connection status, analysts can quickly isolate suspicious patterns such as excessive short-lived connections, abnormal teardown behavior, or asymmetric session states that are characteristic of DDoS-related activity.

This approach aligns with mature threat hunting practices:when indicators overlap, pivot to behavioral attributes. Connection status provides the necessary behavioral signal to separate expected traffic from attack traffic and supports faster, more accurate incident response.

The correct answer isit highlights consistent attacker tradecraft. Attribution depends on recognizingbehavioral patternsthat persist across campaigns.

Attackers frequently change malware, infrastructure, and exploits, but they are far less likely to changehow they prefer to operate. Consistent use of SMB for lateral movement and deliberate avoidance of PowerShell reflect conscious operational choices.

Option A is unrelated to lateral movement behavior. Option B assumes malware development, which may not exist. Option D addresses impact, not attribution.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingto correlate observed behaviors with known threat actor profiles. These behavioral fingerprints provide far stronger attribution confidence than low-level indicators.

Therefore,Option Cis the correct answer.

The correct answer isit reflects the attacker’s operational preferences. Attribution relies on understandinghow attackers operate, not just what tools they use.

Operational preferences—such as avoiding PowerShell logging, disabling AMSI, and favoring WMI—arebehavioral signatures. These patterns often persist across campaigns and are documented in threat intelligence reports associated with specific adversaries.

Option A is incorrect because malware families change frequently. Option B is unreliable due to infrastructure rotation. Option D is unrelated to post-access tradecraft.

Professional attribution focuses on:

Execution methods

Defensive evasion choices

Tooling preferences

Workflow consistency

Mapping these behaviors toMITRE ATT&CK techniquesenables analysts to compare findings against known threat actor profiles. This provides higher confidence attribution than artifact-based indicators.

Thus, optionCis the correct answer.

The correct answer isstandardizing hunt documentation and hypotheses. Mature threat hunting programs move beyond ad-hoc, intuition-driven efforts.

Standardization enables:

Knowledge sharing

Consistent methodology

Repeatable hunts

Easier onboarding of new analysts

Option A and B support operations but do not improve hunting maturity. Option D is unrealistic and risky.

By documenting hypotheses, data sources, queries, findings, and outcomes, organizations institutionalize knowledge and continuously improve detection capabilities.

This is a defining characteristic ofhigh-maturity threat hunting programs.

Therefore, optionCis correct.

The correct answer isit reveals operational discipline and intent. Attribution relies heavily on understandinghow attackers think and operate, not just the tools they use.

Operational discipline—such as careful reconnaissance, avoiding noisy exploitation, and operating during business hours—is ahuman behavioral pattern. These patterns are far more stable than infrastructure or malware and often correlate strongly with specific threat actor groups.

Option A and D focus on tooling, which changes frequently. Option B relates to persistence, not attribution.

Threat intelligence professionals use operational characteristics to distinguish between opportunistic criminals and advanced adversaries. Business-hour activity, careful lateral movement, and deliberate escalation often indicatetargeted intrusions, espionage, or financially motivated but sophisticated actors.

This information helps analysts align observed behavior with known threat actor profiles, improving attribution confidence. Thus, optionCis correct.

The correct answer isThey produce false positives and false negatives. Automated dynamic malware analysis tools, such as sandboxes, execute suspicious files in isolated environments to observe runtime behavior. While these tools are extremely valuable in modern SOCs, they are not infallible and have well-known limitations.

False positives occur when benign software exhibits behaviors that resemble malicious activity, such as creating registry keys, spawning child processes, or making network connections. Conversely, false negatives occur when malware intentionallyevades detectionby altering its behavior. Many modern malware samples include sandbox evasion techniques such as checking for virtualized environments, delaying execution, requiring user interaction, or disabling malicious functionality when analysis artifacts are detected.

Option A is incorrect because dynamic analysis can, in fact, uncover runtime vulnerabilities and exploit behavior. Option C is misleading; while tooling coverage varies, language support is not the primary limitation. Option D refers tomanual analysis, whereas the question explicitly addresses automated tools.

From a threat hunting and malware analysis standpoint, professionals understand that sandbox results must becorrelated with other telemetry, including endpoint behavior, network traffic, and threat intelligence. Automated tools are best used as part of a layered analysis strategy, not as a single source of truth.

This limitation reinforces a core security principle:automation accelerates detection, but human judgment validates impact. Skilled analysts interpret sandbox results, investigate anomalies, and determine real-world risk. Understanding the strengths and weaknesses of dynamic analysis tools allows SOC teams to avoid overreliance on automation while still benefiting from its speed and scale.

The correct answer isDiscovery of unknown attacker behaviors and closure of detection gaps. This outcome best reflects thestrategic valueof threat hunting beyond incident response.

Threat hunting is not primarily about cleanup actions such as credential resets or file removal—those areincident response tasks. The real value of hunting lies in uncoveringpreviously undetected attacker behaviors, understanding how adversaries bypass controls, and translating those findings intoimproved detection and prevention.

Option A represents low-value indicators that attackers can easily change. Option C assumes malware was involved, which is not the case. Option D is necessary but tactical, not strategic.

By identifying credential misuse patterns, lateral movement paths, and data exfiltration techniques, the team can:

Create new SIEM and EDR detections

Harden identity and access controls

Reduce dwell time for future intrusions

Force attackers higher up the Pyramid of Pain

This demonstratesorganizational resilience, not just containment. Mature security programs measure success by how effectively theyeliminate blind spots, not how many alerts they close.

Thus, optionBis the correct answer.

The correct answer isObservation of repeated failed logins followed by a successful login from a new location. This scenario represents anIndicator of Attack (IOA)because it reflectsattacker behavior in progress, not confirmed compromise.

IOAs focus onpatterns of malicious intent, such as credential abuse, reconnaissance, or lateral movement, even when no malware or known indicators are present. In this case, the sequence of failed authentication attempts followed by a successful login from an unusual location strongly suggestspassword spraying or credential stuffing, both common initial access techniques.

Options A, B, and D are classicIndicators of Compromise (IOCs). Hashes, domains, and IP addresses are static artifacts that indicate a systemhas already been compromised. These indicators sit low on thePyramid of Painand are easy for attackers to change.

Cisco’sCBRTHD blueprintemphasizes hunting forIOAsbecause they enable:

Earlier detection

Reduced dwell time

Higher attacker cost

Cisco tools such asSecure Network Analytics,Secure Endpoint, and SIEM platforms are designed to correlate behavioral signals like authentication anomalies rather than relying solely on known bad indicators.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isNetwork/host artifacts. To understand why, it is important to map the observed attacker behavior to thePyramid of Pain, a model that ranks indicators by how difficult they are for adversaries to change once detected.

In this scenario, the adversary is usingNmap OS fingerprinting, which involves sending carefully crafted packets and analyzing responses (TCP/IP stack behavior, TTL values, window sizes, flags, and timing characteristics). These behaviors leave behindnetwork and host artifacts, such as distinctive scan patterns, abnormal TCP flag combinations, OS fingerprinting probes, and consistent tool-specific traffic signatures.

On the Pyramid of Pain:

IP addresses (D)sit at the very bottom. Attackers can trivially change IPs using VPNs, proxies, or botnets.

Port probes (B)andUDPs (A)represent low-level indicators that are also easy to modify. An attacker can change scan ports, protocols, or scan timing with minimal effort.

Network/host artifacts (C)sit significantly higher. These include tool-generated behaviors, protocol anomalies, OS fingerprinting patterns, and scan logic inherent to tools like Nmap. Changing these requires attackers to reconfigure tools, write custom scanners, or significantly alter their operational approach.

From a threat hunting and SOC maturity perspective, detecting and alerting onnetwork and host artifactsforces attackers to expend more time and resources, increasing their operational cost. This aligns with the core objective of the Pyramid of Pain:maximize adversary pain by detecting behaviors, not easily replaceable indicators.

Professionally mature SOC teams focus on identifying scanning techniques (e.g., Nmap OS detection, TCP ACK probes, UDP probes) rather than blocking individual IPs. These detections are resilient, scalable, and effective against both commodity attackers and advanced adversaries.

In short, while IPs and ports are useful for short-term containment,network and host artifacts provide the highest-value indicators in this scenario, makingCthe correct answer.

The correct answer isC. Host 10.201.3.99 is attempting to contact the C2 server to retrieve the payload.

Cisco Secure Network Analytics (Stealthwatch) detectsCommand-and-Control (C2)activity by analyzingnetwork behavior, not by relying solely on known malicious indicators. In the exhibit, the critical investigative clue is theHTTP payload containing a suspicious external URL, which strongly suggests outbound communication from an internal host to an external command-and-control infrastructure.

The internal IP address10.201.3.99belongs to a workstation group (“Desktops”), indicating it is an internal endpoint, not a C2 server. This immediately rules out option B. Instead, the endpoint is acting as acompromised host (zombie)attempting to reach a remote server controlled by an attacker. This outbound beaconing behavior is a classic hallmark of C2 communication.

Option A is incorrect because packet count alone does not confirm C2 activity. C2 traffic is oftenlow-and-slow, intentionally designed to blend in with normal traffic patterns. Option D is also incorrect because the payload does not describe the zombie endpoint; rather, it shows aremote URL, which is likely part of malware staging or command retrieval.

From a threat hunting and SOC perspective, the most valuable information isdirectionality and intent:

Internal host → external suspicious domain

HTTP-based communication over an unusual port

Low data volume consistent with beaconing or payload retrieval

This aligns withMITRE ATT&CK – Command and Control (TA0011)techniques such asApplication Layer Protocols (T1071). Identifying which internal host is reaching out—and why—is essential for containment, endpoint isolation, and scope expansion.

Professionally, this insight enables the analyst to:

Quarantine host 10.201.3.99

Pivot to EDR telemetry on that endpoint

Block the external domain or IP

Hunt for similar beaconing patterns across the environment

In summary, the investigation is aided most by understanding thatan internal host is actively communicating with a C2 server, makingOption Cthe correct and operationally meaningful answer.

The correct answer isit indicates disciplined and methodical tradecraft. Attribution relies on understandingattacker behavior patterns, not just tools or infrastructure.

Consistent operational discipline—such as cautious discovery, avoidance of noisy actions, and deliberate escalation—reflectshuman decision-making, which is difficult to change and often persists across campaigns.

Options A, B, and D focus on artifacts or infrastructure, which attackers frequently rotate. Behavioral patterns, however, form atradecraft fingerprint.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingand behavioral consistency to support attribution, making this observation highly valuable.

Thus,Option Cis correct.

The correct answer isdocument findings and operationalize detections. In Cisco’s threat hunting methodology, confirmation of malicious activity isnot the end of the hunt.

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

TheCBRTHD blueprintstrongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore,Option Bis correct.

The correct answer ismonitoring NetFlow records for abnormal beaconing patterns. Cisco Secure Network Analytics is fundamentally abehavioral analytics platform, not a signature-based detection tool.

Advanced adversaries deliberately avoid known malicious infrastructure to bypass traditional IOC-based defenses. As a result, IP addresses, domains, and threat intelligence feeds (Options A and D) provide limited long-term value and sit at thelowest levels of the Pyramid of Pain.

Stealthwatch excels at detectingbehavioral anomalies in network traffic, particularly:

Regular, low-volume outbound connections

Consistent timing intervals (beaconing)

Rare destination communication

Protocol misuse over common ports (80/443)

These patterns are characteristic ofC2 traffic, even when encryption and legitimate cloud services are used. By analyzingNetFlow telemetry, analysts can detect C2 behavior without needing to know the destination in advance.

Firewall logs (Option C) are reactive and lack behavioral context. They also miss allowed traffic, which is where most stealthy C2 operates.

This hunting technique aligns directly withCBRTHD blueprint objectivesrelated to:

Network-based threat hunting

Detecting command-and-control communications

Moving detection higher on the Pyramid of Pain

Therefore,Option Bis the most effective and Cisco-aligned answer.

The correct answer isbehavioral analysis of outbound traffic patterns. Advanced attackers intentionally usestandard protocols such as HTTP and HTTPSto blend exfiltration traffic with normal activity.

Hash-based and signature-based methods are ineffective because:

No malware may be present

Traffic appears legitimate

Infrastructure is frequently rotated

Behavioral analysis detects anomalies such as:

Unusual data transfer volumes

Abnormal session timing

Beaconing patterns

Rare destinations

This approach aligns withnetwork threat hunting best practicesand forces attackers to significantly alter behavior, increasing adversary cost.

Therefore, optionBis correct.