300-220 Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD Questions and Answers

The correct answer is Structured threat hunting . In this scenario, the SOC team has already confirmed malicious activity —a compromised user account, anomalous VPN access, and indicators consistent with data exfiltration. Once an incident has been validated and attributed to adversary behavior, the next professional step is to perform structured threat hunting to uncover additional attacker actions across the environment.

Structured threat hunting is hypothesis-driven and based on known attacker tactics, techniques, and procedures (TTPs), often mapped to frameworks such as MITRE ATT & CK . Here, the team can form hypotheses like: “If the adversary accessed the file server for exfiltration, they may have also attempted lateral movement, persistence, or privilege escalation.” Analysts then systematically query endpoint, identity, VPN, file server, and network telemetry to confirm or disprove these hypotheses.

Option A (Unstructured) is typically used at the earliest stages when little is known and analysts are exploring weak signals or anomalies without a defined adversary model. That phase has already passed in this case. Option B (AI-driven) refers to tooling or analytics methods rather than a threat hunting methodology. Option C (Proactive) is a general mindset applied to all hunting activities, not a specific hunting type used to investigate known attacker behavior.

From a professional SOC and threat hunting perspective, structured hunting enables full attack chain reconstruction . It helps identify secondary objectives such as data staging locations, additional compromised accounts, persistence mechanisms, and command-and-control activity. The outcome is a more complete understanding of the breach, improved containment, and stronger detection logic for future incidents.

This approach reflects mature security operations: once compromise is confirmed, hunt the adversary—not just the alert . Structured threat hunting ensures attackers are fully evicted and prevents repeat compromise through overlooked footholds.

The correct answer is endpoint process execution and memory access events . During the data collection and processing phase , the goal is to gather high-fidelity telemetry that supports hypothesis validation.

Credential harvesting often occurs without dropping malware and instead relies on:

Memory scraping

LSASS access

Credential dumping tools

In-memory execution

Cisco Secure Endpoint provides deep visibility into:

Process creation and parent-child relationships

Memory access attempts

Privilege abuse

Fileless execution

Option A provides enrichment but not raw behavioral evidence. Option C supports context but does not replace endpoint telemetry. Option D is reactive and unreliable for structured hunts.

Within the CBRTHD threat hunting lifecycle , this phase emphasizes evidence over indicators . Without endpoint execution and memory telemetry, hunters cannot reliably confirm credential access techniques.

This aligns with MITRE ATT & CK Credential Access tactics and Cisco’s emphasis on endpoint behavioral analytics .

Thus, Option B is the correct answer.

The correct answer is Attack trees . Attack trees are uniquely suited for modeling multi-step adversary behavior , which is essential when analyzing complex attack chains such as account takeover followed by data exfiltration.

Attack trees begin with a high-level attacker goal (for example, “Exfiltrate customer data”) and then break that goal into multiple branches representing different paths an attacker could take. These paths can include credential compromise, API abuse, privilege escalation, lateral movement, and persistence. This structure mirrors how real adversaries think and operate.

Option A (STRIDE) is useful for identifying broad threat categories—such as spoofing, tampering, or information disclosure—but it does not naturally capture sequential attack paths . Option B (CVSS) focuses on vulnerability severity scoring, not adversary behavior. Option D (DREAD) assesses risk impact but does not visualize how attacks unfold across systems.

For threat hunters and defenders, attack trees provide a shared mental model between architects, SOC teams, and red teams. They directly inform detection engineering by highlighting critical choke points where attacker behavior must occur, such as token abuse, API enumeration, or anomalous role assumption in cloud environments.

In modern cloud security, where breaches often involve multiple low-severity issues chained together , attack trees offer far greater strategic value than component-by-component analysis. They also align closely with MITRE ATT & CK mapping , enabling defenders to translate threat models into actionable hunts.

Thus, option C is the most appropriate and professionally validated answer.

The correct answer is formulating a hypothesis to search for credential misuse without alerts . This activity is the defining characteristic of threat hunting .

Threat hunting is proactive and hypothesis-driven , meaning analysts intentionally search for attacker behavior that has not yet triggered alerts. Detection engineering, on the other hand, focuses on building and tuning automated rules that respond to known patterns.

Options A, B, and D all represent reactive or preventative security operations . They rely on known indicators or alerts and are foundational but insufficient against stealthy adversaries who abuse valid credentials and native tools.

Cisco’s CBRTHD blueprint explicitly emphasizes hypothesis-based hunting as a core competency. Hunters ask questions like:

“If credentials were stolen, how would that look in our telemetry?”

“What behavior would indicate lateral movement without malware?”

This approach aligns with detecting Indicators of Attack (IOAs) and operating higher on the Pyramid of Pain , forcing adversaries to change tactics instead of infrastructure.

Therefore, Option C is the correct and Cisco-aligned answer.

The correct answer is standardizing hunt documentation and hypotheses . Mature threat hunting programs move beyond ad-hoc, intuition-driven efforts.

Standardization enables:

Knowledge sharing

Consistent methodology

Repeatable hunts

Easier onboarding of new analysts

Option A and B support operations but do not improve hunting maturity. Option D is unrealistic and risky.

By documenting hypotheses, data sources, queries, findings, and outcomes, organizations institutionalize knowledge and continuously improve detection capabilities.

This is a defining characteristic of high-maturity threat hunting programs .

Therefore, option C is correct.

The correct answers are Use of Windows Remote Management (C) and Use of tools and commands to connect to remote shares (E) . Both are core mechanisms attackers leverage for lateral movement after gaining valid credentials through techniques such as pass-the-hash or pass-the-ticket.

Windows Remote Management (WinRM) is a legitimate administrative service used for remote command execution and system management. However, attackers frequently abuse WinRM to move laterally by executing commands on remote endpoints using stolen credentials. From a threat hunting perspective, abnormal WinRM usage—such as execution outside normal administrative hours, from unusual source hosts, or by non-administrative user accounts—is a strong indicator of lateral movement activity.

Similarly, the use of tools and commands to connect to remote shares (such as net use, wmic, SMB-based access, or mounting administrative shares like C$) is a classic lateral movement technique. Attackers use remote shares to transfer tools, stage payloads, and execute malware across systems. Monitoring these activities at the endpoint level helps identify suspicious authentication attempts, unexpected share access, and abnormal file transfers.

Option A (runas) relates more to privilege escalation than lateral movement. Option B is specific to Linux privilege persistence and is not relevant to endpoint lateral movement hunting in this context. Option D (scheduled task creation) is primarily associated with persistence rather than movement between systems.

By monitoring WinRM activity and remote share usage, security teams gain visibility into credential-based movement , which remains one of the most common and dangerous attacker behaviors in enterprise environments. Effective lateral movement hunting focuses on how credentials are used , not just how they are stolen.

The correct answer is correlating attacker behavior across multiple MITRE ATT & CK techniques . This approach focuses on behavioral detection , which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to as living-off-the-land techniques —intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may be no malicious files at all . Options A and D sit at the lowest levels of the Pyramid of Pain , making them easy for adversaries to evade.

By correlating behavior across multiple ATT & CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detect how the attacker operates rather than what tools they use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into a high-confidence attack pattern is how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of the Threat Hunting Maturity Model and the top of the Pyramid of Pain , making option B the correct answer.

The correct answer is Transitioning from reactive to proactive threat hunting to identify unknown threats and vulnerabilities . This directly aligns with both the Threat Hunting Maturity Model and the strategic goals of the Pyramid of Pain , which emphasizes increasing the adversary’s cost by detecting behaviors and tactics rather than easily changeable indicators.

Reactive security operations focus on alerts, signatures, and known indicators such as hashes, IP addresses, and domains—the lowest and least painful levels of the Pyramid of Pain. While necessary, these controls are easily bypassed by sophisticated adversaries. Proactive threat hunting represents a higher maturity level, where analysts actively search for unknown, stealthy, or novel attacker behaviors that have not yet triggered alerts.

Option D (automating detection of known threats) improves efficiency but does not meaningfully increase adversary pain, as attackers can rapidly change known indicators. Option B provides preparedness benefits but does not directly shift detection capabilities. Option A focuses on compliance, which is necessary for governance but largely irrelevant to adversary behavior.

By transitioning to proactive hunting, organizations focus on TTP-based detection , such as credential misuse patterns, abnormal lateral movement, persistence mechanisms, and command-and-control behaviors. These detections operate higher in the Pyramid of Pain—tactics, techniques, and procedures—forcing attackers to significantly retool and increasing the likelihood of early detection.

From a CISO-level perspective, this shift reflects mature security leadership: compliance keeps you legal, automation keeps you efficient, but proactive threat hunting keeps you resilient against advanced threats .

The correct answer is consistent attacker tradecraft mapped to MITRE ATT & CK . Attribution at a professional level relies on behavioral consistency , not superficial artifacts.

Advanced threat actors routinely rotate infrastructure, recompile malware, and vary filenames specifically to defeat attribution efforts. As a result, indicators such as IP addresses, hashes, and timestamps are unreliable and sit low on the Pyramid of Pain .

What attackers cannot easily change is how they operate . This includes:

Initial access techniques

Credential harvesting methods

Lateral movement patterns

Persistence mechanisms

Command-and-control behaviors

When these behaviors remain consistent across incidents, they form a behavioral fingerprint . Mapping these observations to MITRE ATT & CK techniques allows analysts to compare activity against known threat group profiles maintained by intelligence providers and national CERTs.

Option A and B are weak indicators easily altered by attackers. Option D provides almost no attribution value, as timing alone is coincidental and unreliable.

Professional attribution requires correlating TTPs across campaigns and validating them against historical threat actor intelligence. This method supports high-confidence attribution used in legal, executive, and geopolitical contexts.

Therefore, Option C is the correct and defensible answer.

The correct answer is document findings and operationalize detections . In Cisco’s threat hunting methodology, confirmation of malicious activity is not the end of the hunt .

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

The CBRTHD blueprint strongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore, Option B is correct.

The correct answer is monitoring NetFlow records for abnormal beaconing patterns . Cisco Secure Network Analytics is fundamentally a behavioral analytics platform , not a signature-based detection tool.

Advanced adversaries deliberately avoid known malicious infrastructure to bypass traditional IOC-based defenses. As a result, IP addresses, domains, and threat intelligence feeds (Options A and D) provide limited long-term value and sit at the lowest levels of the Pyramid of Pain .

Stealthwatch excels at detecting behavioral anomalies in network traffic , particularly:

Regular, low-volume outbound connections

Consistent timing intervals (beaconing)

Rare destination communication

Protocol misuse over common ports (80/443)

These patterns are characteristic of C2 traffic , even when encryption and legitimate cloud services are used. By analyzing NetFlow telemetry , analysts can detect C2 behavior without needing to know the destination in advance.

Firewall logs (Option C) are reactive and lack behavioral context. They also miss allowed traffic, which is where most stealthy C2 operates.

This hunting technique aligns directly with CBRTHD blueprint objectives related to:

Network-based threat hunting

Detecting command-and-control communications

Moving detection higher on the Pyramid of Pain

Therefore, Option B is the most effective and Cisco-aligned answer.

The correct answer is reduction in attacker dwell time . Dwell time measures how long an attacker remains undetected in the environment.

As threat hunting maturity increases:

Detection becomes faster

Behavioral coverage improves

Attackers are identified earlier in the kill chain

Metrics such as alert volume or blocked IPs (Options A and D) do not reflect effectiveness and may even indicate excessive noise. Option B measures inputs, not outcomes.

Cisco’s CBRTHD blueprint focuses on outcomes , not activity. Reduced dwell time demonstrates:

Effective hunting

Better visibility

Stronger detection engineering

This metric directly correlates with reduced breach impact and improved resilience.

Therefore, Option C is the correct and Cisco-aligned answer.

The correct answer is SQL injection. The decoded HTTP request shown in the exhibit contains multiple unmistakable indicators of a SQL injection attack, including the use of SQL keywords and functions such as SELECT, CASE, SUBSTRING, ASCII, BIN, and conditional SLEEP() statements. These elements are characteristic of time-based blind SQL injection, a technique attackers use to extract database information when direct query results are not visible.

From a professional cybersecurity perspective, the presence of expressions like:

SELECT (CASE WHEN … THEN SLEEP(x))

SUBSTRING(password,1,1)

ASCII() and binary conversions

indicates that the attacker is probing the backend database character by character and using response timing to infer whether conditions are true or false. This is a well-known exploitation method used when error messages or query output are suppressed by the application.

The use of Base64 encoding does not represent the attack itself but rather an obfuscation technique to evade basic web application firewall (WAF) signatures and logging visibility. Encoding payloads allows attackers to bypass simple pattern-matching defenses, but once decoded, the underlying SQL injection becomes evident.

Option A (Unicode encoding) is incorrect because Unicode is commonly used for evasion, not exploitation. Option C (directory traversal) typically involves sequences like ../ to access filesystem paths, which are not present. Option D (XSS) targets client-side script execution and would include JavaScript payloads rather than database-focused logic.

According to the MITRE ATT & CK framework, this activity maps to Initial Access – Exploit Public-Facing Application (T1190). SQL injection remains one of the most exploited vulnerabilities in public-facing applications due to poor input validation and insecure coding practices.

For threat hunters and defenders, this scenario reinforces the importance of deep payload inspection, decoding obfuscated requests, monitoring for anomalous database query behavior, and enforcing secure development practices such as parameterized queries and input sanitization. SQL injection continues to be a high-impact, real-world attack vector despite being well understood, making it a critical focus area in web application threat hunting.

The correct answer is authentication and remote execution logs . Lateral movement using legitimate tools relies heavily on credential use and remote management protocols , not malware execution.

Attackers commonly use:

RDP

SMB administrative shares

WinRM

WMI

SSH

These techniques generate authentication events, remote logons, and service execution logs rather than malware alerts. Antivirus tools are ineffective here because no malicious binaries are involved.

Option A is ineffective against living-off-the-land attacks. Option B is unrelated to lateral movement. Option D may show some activity but lacks the necessary depth to identify privilege misuse or session hopping.

Authentication telemetry enables hunters to detect anomalies such as:

Logons between non-associated systems

Sudden administrative access

Credential reuse across hosts

Abnormal session timing and frequency

This data is foundational for credential-based attack detection , which remains one of the most common breach paths today. It also aligns with MITRE ATT & CK Lateral Movement and Credential Access tactics .

Thus, option C is the correct answer.

The correct answer is Observation of repeated failed logins followed by a successful login from a new location . This scenario represents an Indicator of Attack (IOA) because it reflects attacker behavior in progress , not confirmed compromise.

IOAs focus on patterns of malicious intent , such as credential abuse, reconnaissance, or lateral movement, even when no malware or known indicators are present. In this case, the sequence of failed authentication attempts followed by a successful login from an unusual location strongly suggests password spraying or credential stuffing , both common initial access techniques.

Options A, B, and D are classic Indicators of Compromise (IOCs) . Hashes, domains, and IP addresses are static artifacts that indicate a system has already been compromised . These indicators sit low on the Pyramid of Pain and are easy for attackers to change.

Cisco’s CBRTHD blueprint emphasizes hunting for IOAs because they enable:

Earlier detection

Reduced dwell time

Higher attacker cost

Cisco tools such as Secure Network Analytics , Secure Endpoint , and SIEM platforms are designed to correlate behavioral signals like authentication anomalies rather than relying solely on known bad indicators.

Therefore, Option C is the correct and Cisco-aligned answer.