Cisco 300-220 - Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD

The correct answer isit exposes consistent attacker tradecraft. Attribution relies on identifyinghow attackers behave, not just what tools or infrastructure they use.

Using valid credentials, avoiding malware, and abusing remote management protocols representintentional operational choices. These behaviors are difficult to change and often persist across campaigns.

Option A and B focus on artifacts that attackers frequently rotate. Option D assumes exploitation, which may not be present at all.

Cisco-aligned threat hunting emphasizes:

MITRE ATT&CK technique mapping

Behavioral consistency

Operational patterns

This information enables analysts to compare activity against known adversary profiles maintained by Cisco Talos and other intelligence sources.

Thus,Option Cis the correct answer.

The correct answer isNetwork/host artifacts. To understand why, it is important to map the observed attacker behavior to thePyramid of Pain, a model that ranks indicators by how difficult they are for adversaries to change once detected.

In this scenario, the adversary is usingNmap OS fingerprinting, which involves sending carefully crafted packets and analyzing responses (TCP/IP stack behavior, TTL values, window sizes, flags, and timing characteristics). These behaviors leave behindnetwork and host artifacts, such as distinctive scan patterns, abnormal TCP flag combinations, OS fingerprinting probes, and consistent tool-specific traffic signatures.

On the Pyramid of Pain:

IP addresses (D)sit at the very bottom. Attackers can trivially change IPs using VPNs, proxies, or botnets.

Port probes (B)andUDPs (A)represent low-level indicators that are also easy to modify. An attacker can change scan ports, protocols, or scan timing with minimal effort.

Network/host artifacts (C)sit significantly higher. These include tool-generated behaviors, protocol anomalies, OS fingerprinting patterns, and scan logic inherent to tools like Nmap. Changing these requires attackers to reconfigure tools, write custom scanners, or significantly alter their operational approach.

From a threat hunting and SOC maturity perspective, detecting and alerting onnetwork and host artifactsforces attackers to expend more time and resources, increasing their operational cost. This aligns with the core objective of the Pyramid of Pain:maximize adversary pain by detecting behaviors, not easily replaceable indicators.

Professionally mature SOC teams focus on identifying scanning techniques (e.g., Nmap OS detection, TCP ACK probes, UDP probes) rather than blocking individual IPs. These detections are resilient, scalable, and effective against both commodity attackers and advanced adversaries.

In short, while IPs and ports are useful for short-term containment,network and host artifacts provide the highest-value indicators in this scenario, makingCthe correct answer.

The correct answer isConnection status. In this scenario, the key challenge for the security team is differentiatinglegitimate outbound trafficfrommalicious or DDoS-related trafficoriginating from the same web server. Since both types of traffic coexist in the logs, analysts must rely on an attribute that meaningfully distinguishes normal behavior from abnormal patterns.

The exhibit shows numerous TCP connections from the web server to many different external IP addresses, with varyingTCP statessuch as ESTABLISHED, TIME_WAIT, and FIN_WAIT. These connection states are highly valuable for threat hunting and network analysis. During DDoS activity—especially reflected or amplification-style attacks, or when a server is abused as part of an attack—connections often remain half-open, rapidly transition to TIME_WAIT, or fail to fully establish. In contrast, legitimate web traffic typically results in stable, short-lived ESTABLISHED sessions that follow predictable patterns.

Option B (destination port) is not useful here because most web traffic—both legitimate and malicious—commonly uses ports 80 or 443. Option C (IP address of the web server) provides no filtering value because all traffic already originates from that server. Option D (protocol) is also ineffective, as both normal and DDoS traffic in this case use TCP.

From a professional SOC and threat hunting standpoint,connection state analysisis a foundational technique for detecting volumetric attacks, beaconing behavior, and abnormal session churn. By filtering logs based on connection status, analysts can quickly isolate suspicious patterns such as excessive short-lived connections, abnormal teardown behavior, or asymmetric session states that are characteristic of DDoS-related activity.

This approach aligns with mature threat hunting practices:when indicators overlap, pivot to behavioral attributes. Connection status provides the necessary behavioral signal to separate expected traffic from attack traffic and supports faster, more accurate incident response.

The correct answer isFiles are encrypted. The exhibit shows a collection of API calls and strings that strongly indicatecryptographic operations associated with file encryption, a common behavior in ransomware and data-encrypting malware.

Key indicators in the script include multiple Windows Cryptographic API function calls such as:

CryptAcquireContextW

CryptCreateHash

CryptHashData

CryptDeriveKey

CryptEncrypt

CryptDecrypt

CryptDestroyKey

CryptReleaseContext

These APIs are part of theWindows CryptoAPI, which is explicitly used to generate cryptographic keys, hash data, and encrypt or decrypt content. The presence of ADVAPI32.dll further confirms cryptographic functionality, as this library provides access to Windows security and encryption services.

Additionally, registry-related APIs such as RegSetValueExA, RegOpenKeyExA, and references to:

Software\Microsoft\Windows\CurrentVersion\Run

indicate that the script may also establishpersistence, ensuring the encryption routine executes again after reboot. However, persistence is secondary; the primary functional behavior shown is encryption.

Option A is incorrect because there are no APIs related to disabling networking (such as InternetSetOption or firewall manipulation). Option B is incorrect because retrieving host version information would involve system query APIs like GetVersionEx, which are not present. Option C is incorrect because although the word sleep appears, it is commonly used by malware to delay execution or evade sandboxes—not to place the system into sleep mode.

From a threat hunting and malware analysis perspective, the combination ofCryptoAPI usage, registry modification, and internet-related APIs (InternetReadFile, InternetQueryDataAvailable) is a classic ransomware pattern: retrieve data or keys, encrypt local files, and possibly communicate with command-and-control infrastructure.

Professional defenders recognize these API patterns ashigh-confidence malicious indicators, often mapped toMITRE ATT&CK – Impact: Data Encrypted for Impact (T1486). Detecting such behavior early is critical to prevent widespread data loss and operational disruption.

In summary, the script’s API usage clearly indicates thatits execution results in file encryption, makingOption Dthe correct answer.

The correct answer isdocument findings and operationalize detections. In Cisco’s threat hunting methodology, confirmation of malicious activity isnot the end of the hunt.

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

TheCBRTHD blueprintstrongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore,Option Bis correct.

The correct answer iscorrelating attacker behavior across multiple MITRE ATT&CK techniques. This approach focuses onbehavioral detection, which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to asliving-off-the-land techniques—intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may beno malicious files at all. Options A and D sit at the lowest levels of thePyramid of Pain, making them easy for adversaries to evade.

By correlating behavior across multiple ATT&CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detecthowthe attacker operates rather thanwhat toolsthey use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into ahigh-confidence attack patternis how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of theThreat Hunting Maturity Modeland the top of thePyramid of Pain, making optionBthe correct answer.

Thepass-the-hash (PtH)technique is classified underCredential Accessin the MITRE ATT&CK framework. Specifically, it aligns with theCredential Access tactic (TA0006)and the techniqueUse Alternate Authentication Material (T1550), sub-techniquePass the Hash (T1550.002). This classification is based on the attacker’s primary objective: abusing stolen credential material—in this case, NTLM password hashes—to authenticate to systems without knowing the actual plaintext password.

From a professional cybersecurity and threat hunting perspective, PtH exploits weaknesses in how Windows authentication mechanisms handle credential storage and reuse. When users authenticate to a system, password hashes may be cached in memory or stored in places such as LSASS (Local Security Authority Subsystem Service). If an attacker gains administrative or SYSTEM-level access to a host, they can extract these hashes and reuse them to authenticate to other systems across the environment.

Although pass-the-hash isoften observed during lateral movement, MITRE intentionally classifies it underCredential Accessbecause the defining action is thetheft and misuse of credential material, not the movement itself. Lateral movement is a downstream outcome enabled by the stolen credentials, but the core technique is about accessing and abusing authentication secrets.

This distinction is important for threat hunters and detection engineers. When hunting for PtH activity, defenders focus on indicators such as abnormal NTLM authentication events, logons using NTLM where Kerberos is expected, reuse of the same hash across multiple systems, and suspicious access to LSASS memory. Endpoint telemetry, Windows Security Event Logs (e.g., Event IDs 4624 and 4672), and EDR memory access alerts are commonly used data sources.

Understanding PtH as acredential access techniquehelps security teams prioritize protections such as credential guard, LSASS hardening, disabling NTLM where possible, enforcing least privilege, and monitoring authentication anomalies. This classification also reinforces a core professional principle:identity is the new perimeter, and protecting credential material is foundational to modern threat hunting and defense.

The correct answer isit reveals operational discipline and intent. Attribution relies heavily on understandinghow attackers think and operate, not just the tools they use.

Operational discipline—such as careful reconnaissance, avoiding noisy exploitation, and operating during business hours—is ahuman behavioral pattern. These patterns are far more stable than infrastructure or malware and often correlate strongly with specific threat actor groups.

Option A and D focus on tooling, which changes frequently. Option B relates to persistence, not attribution.

Threat intelligence professionals use operational characteristics to distinguish between opportunistic criminals and advanced adversaries. Business-hour activity, careful lateral movement, and deliberate escalation often indicatetargeted intrusions, espionage, or financially motivated but sophisticated actors.

This information helps analysts align observed behavior with known threat actor profiles, improving attribution confidence. Thus, optionCis correct.