300-220 Exam Dumps - Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD

The correct answer isAttack trees. Attack trees are uniquely suited for modelingmulti-step adversary behavior, which is essential when analyzing complex attack chains such as account takeover followed by data exfiltration.

Attack trees begin with ahigh-level attacker goal(for example, “Exfiltrate customer data”) and then break that goal into multiple branches representing different paths an attacker could take. These paths can include credential compromise, API abuse, privilege escalation, lateral movement, and persistence. This structure mirrors how real adversaries think and operate.

Option A (STRIDE) is useful for identifying broad threat categories—such as spoofing, tampering, or information disclosure—but it does not naturally capturesequential attack paths. Option B (CVSS) focuses on vulnerability severity scoring, not adversary behavior. Option D (DREAD) assesses risk impact but does not visualize how attacks unfold across systems.

For threat hunters and defenders, attack trees provide ashared mental modelbetween architects, SOC teams, and red teams. They directly inform detection engineering by highlightingcritical choke pointswhere attacker behavior must occur, such as token abuse, API enumeration, or anomalous role assumption in cloud environments.

In modern cloud security, where breaches often involvemultiple low-severity issues chained together, attack trees offer far greater strategic value than component-by-component analysis. They also align closely withMITRE ATT&CK mapping, enabling defenders to translate threat models into actionable hunts.

Thus, optionCis the most appropriate and professionally validated answer.

The correct answer isanalyzing authentication behavior anomalies across users and devices. Credential abuse is one of the most common and effective techniques used by modern attackers because it allows them to blend in with legitimate activity and bypass malware-based defenses.

Options A and B rely on malware indicators, which are often absent in credential-based attacks. Option D addresses only one potential delivery or command-and-control vector and does not detect misuse of valid credentials.

By analyzing authentication behavior, threat hunters can detect:

Impossible travel scenarios

Abnormal login times

Excessive failed logins followed by success

Logins from unusual devices or locations

Cisco tools such asCisco Secure Network Analytics, VPN telemetry, and identity logs provide rich data sources for this type of hunting. This approach focuses onIndicators of Attack (IOAs)rather than Indicators of Compromise (IOCs), pushing detection higher on thePyramid of Pain.

Within theCBRTHD blueprint, hunting for credential misuse is a core competency, especially in cloud and remote-access environments. Detecting these behaviors early significantly reduces attacker dwell time and limits the blast radius of compromise.

Therefore,Option Cis the most effective and Cisco-aligned answer.

The correct answer isformulating a hypothesis to search for credential misuse without alerts. This activity is the defining characteristic ofthreat hunting.

Threat hunting isproactive and hypothesis-driven, meaning analysts intentionally search for attacker behavior that has not yet triggered alerts. Detection engineering, on the other hand, focuses on building and tuning automated rules that respond to known patterns.

Options A, B, and D all representreactive or preventative security operations. They rely on known indicators or alerts and are foundational but insufficient against stealthy adversaries who abuse valid credentials and native tools.

Cisco’sCBRTHD blueprintexplicitly emphasizes hypothesis-based hunting as a core competency. Hunters ask questions like:

“If credentials were stolen, how would that look in our telemetry?”

“What behavior would indicate lateral movement without malware?”

This approach aligns with detectingIndicators of Attack (IOAs)and operating higher on thePyramid of Pain, forcing adversaries to change tactics instead of infrastructure.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isendpoint process ancestry tracking. Credential harvesting attacks frequently rely onfileless executionand living-off-the-land techniques.

When no files are written to disk, hash-based detection (Option A) is ineffective. Email sandboxing (Option C) and URL filtering (Option D) may detect initial delivery but provide little visibility into post-execution behavior.

Cisco Secure Endpoint provides detailed telemetry on:

Parent-child process relationships

Unexpected process spawning

Abnormal command-line arguments

Memory-resident execution

By analyzing process ancestry, hunters can identify suspicious chains such as:

Office applications spawning scripting engines

Browsers spawning credential-harvesting processes

Legitimate binaries launching unexpected child processes

This capability directly supportsMITRE ATT&CK Credential Access and Defense Evasion techniquesand is explicitly covered in theCBRTHD exam objectivesrelated to endpoint-based threat hunting.

Thus,Option Bis the most accurate and Cisco-aligned answer.

The correct answers areUse of Windows Remote Management (C)andUse of tools and commands to connect to remote shares (E). Both are core mechanisms attackers leverage forlateral movementafter gaining valid credentials through techniques such as pass-the-hash or pass-the-ticket.

Windows Remote Management (WinRM) is a legitimate administrative service used for remote command execution and system management. However, attackers frequently abuse WinRM to move laterally by executing commands on remote endpoints using stolen credentials. From a threat hunting perspective, abnormal WinRM usage—such as execution outside normal administrative hours, from unusual source hosts, or by non-administrative user accounts—is a strong indicator of lateral movement activity.

Similarly, the use of tools and commands to connect to remote shares (such as net use, wmic, SMB-based access, or mounting administrative shares like C$) is a classic lateral movement technique. Attackers use remote shares to transfer tools, stage payloads, and execute malware across systems. Monitoring these activities at the endpoint level helps identify suspicious authentication attempts, unexpected share access, and abnormal file transfers.

Option A (runas) relates more to privilege escalation than lateral movement. Option B is specific to Linux privilege persistence and is not relevant to endpoint lateral movement hunting in this context. Option D (scheduled task creation) is primarily associated with persistence rather than movement between systems.

By monitoring WinRM activity and remote share usage, security teams gain visibility intocredential-based movement, which remains one of the most common and dangerous attacker behaviors in enterprise environments. Effective lateral movement hunting focuses onhow credentials are used, not just how they are stolen.

The correct answer isNetwork/host artifacts. To understand why, it is important to map the observed attacker behavior to thePyramid of Pain, a model that ranks indicators by how difficult they are for adversaries to change once detected.

In this scenario, the adversary is usingNmap OS fingerprinting, which involves sending carefully crafted packets and analyzing responses (TCP/IP stack behavior, TTL values, window sizes, flags, and timing characteristics). These behaviors leave behindnetwork and host artifacts, such as distinctive scan patterns, abnormal TCP flag combinations, OS fingerprinting probes, and consistent tool-specific traffic signatures.

On the Pyramid of Pain:

IP addresses (D)sit at the very bottom. Attackers can trivially change IPs using VPNs, proxies, or botnets.

Port probes (B)andUDPs (A)represent low-level indicators that are also easy to modify. An attacker can change scan ports, protocols, or scan timing with minimal effort.

Network/host artifacts (C)sit significantly higher. These include tool-generated behaviors, protocol anomalies, OS fingerprinting patterns, and scan logic inherent to tools like Nmap. Changing these requires attackers to reconfigure tools, write custom scanners, or significantly alter their operational approach.

From a threat hunting and SOC maturity perspective, detecting and alerting onnetwork and host artifactsforces attackers to expend more time and resources, increasing their operational cost. This aligns with the core objective of the Pyramid of Pain:maximize adversary pain by detecting behaviors, not easily replaceable indicators.

Professionally mature SOC teams focus on identifying scanning techniques (e.g., Nmap OS detection, TCP ACK probes, UDP probes) rather than blocking individual IPs. These detections are resilient, scalable, and effective against both commodity attackers and advanced adversaries.

In short, while IPs and ports are useful for short-term containment,network and host artifacts provide the highest-value indicators in this scenario, makingCthe correct answer.

The correct answer isCredential Access. In the MITRE ATT&CK framework,password sprayingis classified under theCredential Access tactic (TA0006), specifically techniqueT1110.003 – Password Spraying. This classification is based on the attacker’s primary objective:gaining valid credentialsby systematically attempting a small number of common or weak passwords across many user accounts.

Password spraying differs from brute-force attacks in that it intentionally avoids rapid or repeated attempts against a single account, thereby evading account lockout controls and basic detection mechanisms. Instead, attackers “spray” one password (for example,Winter2025!orPassword123) across a large number of users, exploiting the likelihood that at least one account will use that password.

Although successful password spraying often leads toinitial access, MITRE classifies it underCredential Accessbecause the technique’s defining action is theacquisition of credentials, not the system entry itself. Initial access is the outcome, while credential theft is the method. This distinction is critical for threat hunters, as it guides where detections and controls should be focused.

From a professional threat hunting perspective, defenders monitor authentication telemetry such as failed and successful logins across identity providers, VPNs, cloud services, and email platforms. Indicators include multiple authentication failures across many accounts from a single source IP, followed by one or more successful logins. Identity-centric logging and anomaly detection are foundational here, reinforcing the principle thatidentity is the primary attack surface in modern environments.

Understanding password spraying as a credential access technique helps organizations prioritize protections such as strong password policies, MFA enforcement, adaptive authentication, and detection logic tuned for low-and-slow authentication abuse.

The correct answer isC. Host 10.201.3.99 is attempting to contact the C2 server to retrieve the payload.

Cisco Secure Network Analytics (Stealthwatch) detectsCommand-and-Control (C2)activity by analyzingnetwork behavior, not by relying solely on known malicious indicators. In the exhibit, the critical investigative clue is theHTTP payload containing a suspicious external URL, which strongly suggests outbound communication from an internal host to an external command-and-control infrastructure.

The internal IP address10.201.3.99belongs to a workstation group (“Desktops”), indicating it is an internal endpoint, not a C2 server. This immediately rules out option B. Instead, the endpoint is acting as acompromised host (zombie)attempting to reach a remote server controlled by an attacker. This outbound beaconing behavior is a classic hallmark of C2 communication.

Option A is incorrect because packet count alone does not confirm C2 activity. C2 traffic is oftenlow-and-slow, intentionally designed to blend in with normal traffic patterns. Option D is also incorrect because the payload does not describe the zombie endpoint; rather, it shows aremote URL, which is likely part of malware staging or command retrieval.

From a threat hunting and SOC perspective, the most valuable information isdirectionality and intent:

Internal host → external suspicious domain

HTTP-based communication over an unusual port

Low data volume consistent with beaconing or payload retrieval

This aligns withMITRE ATT&CK – Command and Control (TA0011)techniques such asApplication Layer Protocols (T1071). Identifying which internal host is reaching out—and why—is essential for containment, endpoint isolation, and scope expansion.

Professionally, this insight enables the analyst to:

Quarantine host 10.201.3.99

Pivot to EDR telemetry on that endpoint

Block the external domain or IP

Hunt for similar beaconing patterns across the environment

In summary, the investigation is aided most by understanding thatan internal host is actively communicating with a C2 server, makingOption Cthe correct and operationally meaningful answer.