300-220 Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD Questions and Answers

The correct answer isanalyzing abnormal behavior patterns across identity, endpoint, and network telemetry. This approach represents the foundation of modern threat hunting and directly addresses adversaries who deliberately avoid traditional detections.

Advanced attackers increasingly rely onliving-off-the-land techniques, stolen credentials, and legitimate administrative tools such as PowerShell, WMI, RDP, and cloud APIs. These activities rarely generate malware signatures or known IOCs, making alert-driven and signature-based defenses insufficient. As a result, mature threat hunting programs shift focus towardbehavioral analysis and anomaly detection.

Option A and D rely on static indicators such as IPs, domains, and hashes. These sit at thelowest levels of the Pyramid of Painand are trivial for attackers to change. Option B is purely reactive and limited to known malware, offering little value against stealthy intrusions.

By correlating identity logs (authentication patterns, geolocation anomalies), endpoint telemetry (process execution, parent-child relationships), and network activity (unusual connections, lateral movement patterns), hunters can detectIndicators of Attack (IOAs)rather than waiting for confirmed compromise. This enables identification of credential misuse, privilege abuse, and lateral movement even when no malware is present.

This methodology aligns withMITRE ATT&CK TTP-based hunting, which focuses on tactics and techniques instead of tools or infrastructure. It also reflects a higher tier in theThreat Hunting Maturity Model, where organizations proactively search for unknown threats rather than responding to alerts.

In professional SOC environments, this shift dramatically increases detection coverage against advanced adversaries and reduces dwell time. Therefore, optionCis the most accurate and strategically sound answer.

The correct answer isTransitioning from reactive to proactive threat hunting to identify unknown threats and vulnerabilities. This directly aligns with both theThreat Hunting Maturity Modeland the strategic goals of thePyramid of Pain, which emphasizes increasing the adversary’s cost by detecting behaviors and tactics rather than easily changeable indicators.

Reactive security operations focus on alerts, signatures, and known indicators such as hashes, IP addresses, and domains—the lowest and least painful levels of the Pyramid of Pain. While necessary, these controls are easily bypassed by sophisticated adversaries. Proactive threat hunting represents a higher maturity level, where analysts actively search forunknown, stealthy, or novel attacker behaviorsthat have not yet triggered alerts.

Option D (automating detection of known threats) improves efficiency but does not meaningfully increase adversary pain, as attackers can rapidly change known indicators. Option B provides preparedness benefits but does not directly shift detection capabilities. Option A focuses on compliance, which is necessary for governance but largely irrelevant to adversary behavior.

By transitioning to proactive hunting, organizations focus onTTP-based detection, such as credential misuse patterns, abnormal lateral movement, persistence mechanisms, and command-and-control behaviors. These detections operate higher in the Pyramid of Pain—tactics, techniques, and procedures—forcing attackers to significantly retool and increasing the likelihood of early detection.

From a CISO-level perspective, this shift reflects mature security leadership:compliance keeps you legal, automation keeps you efficient, but proactive threat hunting keeps you resilient against advanced threats.

The correct answer isbehavioral analysis of outbound traffic patterns. Advanced attackers intentionally usestandard protocols such as HTTP and HTTPSto blend exfiltration traffic with normal activity.

Hash-based and signature-based methods are ineffective because:

No malware may be present

Traffic appears legitimate

Infrastructure is frequently rotated

Behavioral analysis detects anomalies such as:

Unusual data transfer volumes

Abnormal session timing

Beaconing patterns

Rare destinations

This approach aligns withnetwork threat hunting best practicesand forces attackers to significantly alter behavior, increasing adversary cost.

Therefore, optionBis correct.

The correct answer isdocumenting findings and updating detection logic. This represents thepost-hunt operationalization phase, which is critical for long-term security improvement.

While options A and C are necessary response actions, they address only thecurrent incident. Threat hunting’s strategic value comes from transforming discoveries intorepeatable detections, playbooks, and controls.

Professional threat hunting programs ensure that:

Successful hunts produce new SIEM rules

Detection gaps are closed

Findings are documented for future analysts

Lessons learned inform security architecture decisions

Option D continues exploration but fails to institutionalize knowledge. Without operationalizing results, organizations repeatedly rediscover the same threats.

This phase directly increases maturity in theThreat Hunting Maturity Model, shifting organizations from hero-driven hunting to scalable, resilient detection. It also moves defendersup the Pyramid of Pain, forcing adversaries to change tactics rather than indicators.

Therefore, optionBis the correct and most strategically important answer.

The correct answer is SQL injection. The decoded HTTP request shown in the exhibit contains multiple unmistakable indicators of a SQL injection attack, including the use of SQL keywords and functions such as SELECT, CASE, SUBSTRING, ASCII, BIN, and conditional SLEEP() statements. These elements are characteristic of time-based blind SQL injection, a technique attackers use to extract database information when direct query results are not visible.

From a professional cybersecurity perspective, the presence of expressions like:

SELECT (CASE WHEN … THEN SLEEP(x))

SUBSTRING(password,1,1)

ASCII() and binary conversions

indicates that the attacker is probing the backend database character by character and using response timing to infer whether conditions are true or false. This is a well-known exploitation method used when error messages or query output are suppressed by the application.

The use of Base64 encoding does not represent the attack itself but rather an obfuscation technique to evade basic web application firewall (WAF) signatures and logging visibility. Encoding payloads allows attackers to bypass simple pattern-matching defenses, but once decoded, the underlying SQL injection becomes evident.

Option A (Unicode encoding) is incorrect because Unicode is commonly used for evasion, not exploitation. Option C (directory traversal) typically involves sequences like ../ to access filesystem paths, which are not present. Option D (XSS) targets client-side script execution and would include JavaScript payloads rather than database-focused logic.

According to the MITRE ATT&CK framework, this activity maps to Initial Access – Exploit Public-Facing Application (T1190). SQL injection remains one of the most exploited vulnerabilities in public-facing applications due to poor input validation and insecure coding practices.

For threat hunters and defenders, this scenario reinforces the importance of deep payload inspection, decoding obfuscated requests, monitoring for anomalous database query behavior, and enforcing secure development practices such as parameterized queries and input sanitization. SQL injection continues to be a high-impact, real-world attack vector despite being well understood, making it a critical focus area in web application threat hunting.

The correct answer isit exposes consistent attacker tradecraft. Attribution relies on identifyinghow attackers behave, not just what tools or infrastructure they use.

Using valid credentials, avoiding malware, and abusing remote management protocols representintentional operational choices. These behaviors are difficult to change and often persist across campaigns.

Option A and B focus on artifacts that attackers frequently rotate. Option D assumes exploitation, which may not be present at all.

Cisco-aligned threat hunting emphasizes:

MITRE ATT&CK technique mapping

Behavioral consistency

Operational patterns

This information enables analysts to compare activity against known adversary profiles maintained by Cisco Talos and other intelligence sources.

Thus,Option Cis the correct answer.

The correct answer isattack path analysis using identity relationships. Cloud breaches increasingly occur throughmisconfigured identity permissions, not software flaws.

Attack path analysis mapstrust relationships, role assumptions, permissions, and access boundariesto understand how attackers can pivot through identity systems. This is especially relevant in cloud environments where:

Roles can assume other roles

Permissions are inherited

Overprivileged identities are common

Option A is too abstract and does not capture privilege chaining. Option B assumes malware execution, which is unnecessary in identity-based attacks. Option D measures severity but does not model attacker movement.

Professional threat hunters and cloud security teams rely on attack path analysis to:

Identify privilege escalation paths

Detect identity blast radius

Prioritize remediation of high-risk relationships

This directly supports proactive hunting and aligns withidentity-first security principles.

Therefore, optionCis correct.

The correct answer isit highlights consistent attacker tradecraft. Attribution depends on recognizingbehavioral patternsthat persist across campaigns.

Attackers frequently change malware, infrastructure, and exploits, but they are far less likely to changehow they prefer to operate. Consistent use of SMB for lateral movement and deliberate avoidance of PowerShell reflect conscious operational choices.

Option A is unrelated to lateral movement behavior. Option B assumes malware development, which may not exist. Option D addresses impact, not attribution.

Cisco-aligned threat hunting usesMITRE ATT&CK technique mappingto correlate observed behaviors with known threat actor profiles. These behavioral fingerprints provide far stronger attribution confidence than low-level indicators.

Therefore,Option Cis the correct answer.

The correct answer isstandardizing hunt documentation and hypotheses. Mature threat hunting programs move beyond ad-hoc, intuition-driven efforts.

Standardization enables:

Knowledge sharing

Consistent methodology

Repeatable hunts

Easier onboarding of new analysts

Option A and B support operations but do not improve hunting maturity. Option D is unrealistic and risky.

By documenting hypotheses, data sources, queries, findings, and outcomes, organizations institutionalize knowledge and continuously improve detection capabilities.

This is a defining characteristic ofhigh-maturity threat hunting programs.

Therefore, optionCis correct.

The correct answer isit reveals consistent attacker tradecraft across incidents. Attribution relies onbehavioral consistency, not on malware samples or exploits.

Avoiding malware and abusing legitimate tools (living-off-the-land techniques) reflects adeliberate operational strategy. These behaviors tend to remain consistent across campaigns and are frequently documented in threat intelligence profiles.

Options A and D are incorrect because no exploit or ransomware is involved. Option B is incorrect; living-off-the-land techniques are modern, not outdated.

Cisco-aligned threat hunting emphasizesMITRE ATT&CK mappingand behavioral analysis to support attribution efforts. This approach is far more reliable than artifact-based attribution.

Thus,Option Cis the correct answer.

The correct answer isDiscovery of unknown attacker behaviors and closure of detection gaps. This outcome best reflects thestrategic valueof threat hunting beyond incident response.

Threat hunting is not primarily about cleanup actions such as credential resets or file removal—those areincident response tasks. The real value of hunting lies in uncoveringpreviously undetected attacker behaviors, understanding how adversaries bypass controls, and translating those findings intoimproved detection and prevention.

Option A represents low-value indicators that attackers can easily change. Option C assumes malware was involved, which is not the case. Option D is necessary but tactical, not strategic.

By identifying credential misuse patterns, lateral movement paths, and data exfiltration techniques, the team can:

Create new SIEM and EDR detections

Harden identity and access controls

Reduce dwell time for future intrusions

Force attackers higher up the Pyramid of Pain

This demonstratesorganizational resilience, not just containment. Mature security programs measure success by how effectively theyeliminate blind spots, not how many alerts they close.

Thus, optionBis the correct answer.

The correct answers areA. Service and version of the web serverandC. Technology used by the application. The error message shown in the exhibit is a classic example ofverbose error handling, which unintentionally discloses sensitive internal details about the web application stack.

First, the error page explicitly referencesApache Tomcat/6.0.16at the bottom. This directly exposes theweb server/service and its exact version, makingOption Acorrect. From an attacker’s perspective, this is valuable intelligence because it allows them to search forknown vulnerabilities, exploits, or misconfigurationsspecific to that version of Tomcat. Older versions of Tomcat, in particular, have a long history of publicly documented security flaws.

Second, the stack trace references components such as:

org.apache.jasper.compiler.*

.jsp files (e.g., /user/left.jsp)

javax.servlet.http.HttpServlet

These details clearly reveal thetechnology stack used by the application, namelyJava Server Pages (JSP)running onApache Tomcat with Apache Jasper. This confirmsOption Cas correct. Exposing application technology helps attackers tailor attacks such as deserialization exploits, JSP injection attempts, or framework-specific vulnerabilities.

Option B is incorrect because the error message doesnotstate or imply that Apache Jasper is vulnerable to path injection; it merely shows a compilation/runtime error. Option D is incorrect because the error page provides no information about theclient-side browser version—all disclosed details relate to server-side processing.

From a professional security and threat hunting perspective, verbose error messages significantlyincrease attack surface visibility. Best practices dictate that production systems should returngeneric error messagesto users while logging detailed stack traces internally. This scenario reinforces why proper error handling and information disclosure controls are critical defensive measures.

In summary, the penetration test error message exposes:

Theweb server service and version

Theapplication technology stack

Therefore, the correct answers areA and C.

The correct answer isreduction in attacker dwell time. Dwell time measures how long an attacker remains undetected after initial compromise.

As threat hunting maturity increases:

Behavioral coverage improves

Detection occurs earlier in the attack lifecycle

Attackers are identified before achieving objectives

Options A and C measure activity, not effectiveness. Option D measures inputs, not outcomes.

Cisco’sCBRTHD blueprintemphasizes outcome-driven metrics. Reduced dwell time directly correlates with lower business impact, reduced data loss, and improved resilience.

Therefore,Option Bis the most meaningful and Cisco-aligned metric.

The correct answer isMonitoring failed AWS console login attempts. The Bash script shown in the exhibit is clearly designed toparse AWS CloudTrail logsand extract specific authentication-related events.

Breaking down the script behavior from a professional cloud security perspective:

gunzip -c *.json.gz indicates the script is processingcompressed CloudTrail log files, which are typically stored in .json.gz format.

jq -c '.Records[]' parses individual CloudTrail records, a common approach when analyzing AWS activity logs.

The filter conditions explicitly check for:

eventSource == "signin.amazonaws.com"

eventName == "ConsoleLogin"

responseElements.ConsoleLogin == "Failure"

These fields are definitive indicators offailed AWS Management Console login attempts. Additionally, the script extracts contextual fields such as:

Event time

Source IP address

Error message

AWS region

Username

MFA usage status

This data is exactly what security teams use to detectcredential abuse, password spraying, brute-force attempts, and compromised IAM accounts. Monitoring failed console logins is a foundational cloud threat hunting activity, especially for identifying early stages of account takeover.

Option B is incorrect because the script does not establish AWS CLI sessions or authenticate to accounts. Option C is incorrect because instance errors would involve services like ec2.amazonaws.com and different event names. Option D is incorrect because the script is analyzing—not archiving—records, and it applies filtering logic rather than storage or lifecycle management.

From a threat hunting and cloud security standpoint, this script supportsidentity-focused detection, which is critical in AWS environments where IAM misuse is one of the most common initial access vectors. It aligns withMITRE ATT&CK – Credential Access and Initial Access, particularly techniques involving valid account abuse.

In summary, the script’s clear purpose is tomonitor failed AWS console login attempts, makingOption Athe correct and professionally validated answer.

The correct answer isanalyzing authentication behavior anomalies across users and devices. Credential abuse is one of the most common and effective techniques used by modern attackers because it allows them to blend in with legitimate activity and bypass malware-based defenses.

Options A and B rely on malware indicators, which are often absent in credential-based attacks. Option D addresses only one potential delivery or command-and-control vector and does not detect misuse of valid credentials.

By analyzing authentication behavior, threat hunters can detect:

Impossible travel scenarios

Abnormal login times

Excessive failed logins followed by success

Logins from unusual devices or locations

Cisco tools such asCisco Secure Network Analytics, VPN telemetry, and identity logs provide rich data sources for this type of hunting. This approach focuses onIndicators of Attack (IOAs)rather than Indicators of Compromise (IOCs), pushing detection higher on thePyramid of Pain.

Within theCBRTHD blueprint, hunting for credential misuse is a core competency, especially in cloud and remote-access environments. Detecting these behaviors early significantly reduces attacker dwell time and limits the blast radius of compromise.

Therefore,Option Cis the most effective and Cisco-aligned answer.