Cisco Conducting Threat Hunting and Defending using Cisco Technologies for CyberOps 300-220 CBRTHD Exam Questions

Answer : C

The correct answer is it exposes consistent attacker tradecraft. Attribution relies on identifying how attackers behave, not just what tools or infrastructure they use.

Using valid credentials, avoiding malware, and abusing remote management protocols represent intentional operational choices. These behaviors are difficult to change and often persist across campaigns.

Option A and B focus on artifacts that attackers frequently rotate. Option D assumes exploitation, which may not be present at all.

Cisco-aligned threat hunting emphasizes:

MITRE ATT&CK technique mapping

Behavioral consistency

Operational patterns

This information enables analysts to compare activity against known adversary profiles maintained by Cisco Talos and other intelligence sources.

Thus, Option C is the correct answer.

Answer : C

The correct answer is analyzing authentication behavior anomalies across users and devices. Credential abuse is one of the most common and effective techniques used by modern attackers because it allows them to blend in with legitimate activity and bypass malware-based defenses.

Options A and B rely on malware indicators, which are often absent in credential-based attacks. Option D addresses only one potential delivery or command-and-control vector and does not detect misuse of valid credentials.

By analyzing authentication behavior, threat hunters can detect:

Impossible travel scenarios

Abnormal login times

Excessive failed logins followed by success

Logins from unusual devices or locations

Cisco tools such as Cisco Secure Network Analytics, VPN telemetry, and identity logs provide rich data sources for this type of hunting. This approach focuses on Indicators of Attack (IOAs) rather than Indicators of Compromise (IOCs), pushing detection higher on the Pyramid of Pain.

Within the CBRTHD blueprint, hunting for credential misuse is a core competency, especially in cloud and remote-access environments. Detecting these behaviors early significantly reduces attacker dwell time and limits the blast radius of compromise.

Therefore, Option C is the most effective and Cisco-aligned answer.

Answer : A

The correct answer is Monitoring failed AWS console login attempts. The Bash script shown in the exhibit is clearly designed to parse AWS CloudTrail logs and extract specific authentication-related events.

Breaking down the script behavior from a professional cloud security perspective:

gunzip -c *.json.gz indicates the script is processing compressed CloudTrail log files, which are typically stored in .json.gz format.

jq -c '.Records[]' parses individual CloudTrail records, a common approach when analyzing AWS activity logs.

The filter conditions explicitly check for:

eventSource == 'signin.amazonaws.com'

eventName == 'ConsoleLogin'

responseElements.ConsoleLogin == 'Failure'

These fields are definitive indicators of failed AWS Management Console login attempts. Additionally, the script extracts contextual fields such as:

Event time

Source IP address

Error message

AWS region

Username

MFA usage status

This data is exactly what security teams use to detect credential abuse, password spraying, brute-force attempts, and compromised IAM accounts. Monitoring failed console logins is a foundational cloud threat hunting activity, especially for identifying early stages of account takeover.

Option B is incorrect because the script does not establish AWS CLI sessions or authenticate to accounts. Option C is incorrect because instance errors would involve services like ec2.amazonaws.com and different event names. Option D is incorrect because the script is analyzing---not archiving---records, and it applies filtering logic rather than storage or lifecycle management.

From a threat hunting and cloud security standpoint, this script supports identity-focused detection, which is critical in AWS environments where IAM misuse is one of the most common initial access vectors. It aligns with MITRE ATT&CK -- Credential Access and Initial Access, particularly techniques involving valid account abuse.

In summary, the script's clear purpose is to monitor failed AWS console login attempts, making Option A the correct and professionally validated answer.

Answer : C

The correct answer is it reflects the attacker's operational preferences. Attribution relies on understanding how attackers operate, not just what tools they use.

Operational preferences---such as avoiding PowerShell logging, disabling AMSI, and favoring WMI---are behavioral signatures. These patterns often persist across campaigns and are documented in threat intelligence reports associated with specific adversaries.

Option A is incorrect because malware families change frequently. Option B is unreliable due to infrastructure rotation. Option D is unrelated to post-access tradecraft.

Professional attribution focuses on:

Execution methods

Defensive evasion choices

Tooling preferences

Workflow consistency

Mapping these behaviors to MITRE ATT&CK techniques enables analysts to compare findings against known threat actor profiles. This provides higher confidence attribution than artifact-based indicators.

Thus, option C is the correct answer.

Answer : C

The correct answer is documenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within the CBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus, Option C is the correct and professionally validated answer.

Answer : C

The pass-the-hash (PtH) technique is classified under Credential Access in the MITRE ATT&CK framework. Specifically, it aligns with the Credential Access tactic (TA0006) and the technique Use Alternate Authentication Material (T1550), sub-technique Pass the Hash (T1550.002). This classification is based on the attacker's primary objective: abusing stolen credential material---in this case, NTLM password hashes---to authenticate to systems without knowing the actual plaintext password.

From a professional cybersecurity and threat hunting perspective, PtH exploits weaknesses in how Windows authentication mechanisms handle credential storage and reuse. When users authenticate to a system, password hashes may be cached in memory or stored in places such as LSASS (Local Security Authority Subsystem Service). If an attacker gains administrative or SYSTEM-level access to a host, they can extract these hashes and reuse them to authenticate to other systems across the environment.

Although pass-the-hash is often observed during lateral movement, MITRE intentionally classifies it under Credential Access because the defining action is the theft and misuse of credential material, not the movement itself. Lateral movement is a downstream outcome enabled by the stolen credentials, but the core technique is about accessing and abusing authentication secrets.

This distinction is important for threat hunters and detection engineers. When hunting for PtH activity, defenders focus on indicators such as abnormal NTLM authentication events, logons using NTLM where Kerberos is expected, reuse of the same hash across multiple systems, and suspicious access to LSASS memory. Endpoint telemetry, Windows Security Event Logs (e.g., Event IDs 4624 and 4672), and EDR memory access alerts are commonly used data sources.

Understanding PtH as a credential access technique helps security teams prioritize protections such as credential guard, LSASS hardening, disabling NTLM where possible, enforcing least privilege, and monitoring authentication anomalies. This classification also reinforces a core professional principle: identity is the new perimeter, and protecting credential material is foundational to modern threat hunting and defense.

Answer : A

The correct answer is Connection status. In this scenario, the key challenge for the security team is differentiating legitimate outbound traffic from malicious or DDoS-related traffic originating from the same web server. Since both types of traffic coexist in the logs, analysts must rely on an attribute that meaningfully distinguishes normal behavior from abnormal patterns.

The exhibit shows numerous TCP connections from the web server to many different external IP addresses, with varying TCP states such as ESTABLISHED, TIME_WAIT, and FIN_WAIT. These connection states are highly valuable for threat hunting and network analysis. During DDoS activity---especially reflected or amplification-style attacks, or when a server is abused as part of an attack---connections often remain half-open, rapidly transition to TIME_WAIT, or fail to fully establish. In contrast, legitimate web traffic typically results in stable, short-lived ESTABLISHED sessions that follow predictable patterns.

Option B (destination port) is not useful here because most web traffic---both legitimate and malicious---commonly uses ports 80 or 443. Option C (IP address of the web server) provides no filtering value because all traffic already originates from that server. Option D (protocol) is also ineffective, as both normal and DDoS traffic in this case use TCP.

From a professional SOC and threat hunting standpoint, connection state analysis is a foundational technique for detecting volumetric attacks, beaconing behavior, and abnormal session churn. By filtering logs based on connection status, analysts can quickly isolate suspicious patterns such as excessive short-lived connections, abnormal teardown behavior, or asymmetric session states that are characteristic of DDoS-related activity.

This approach aligns with mature threat hunting practices: when indicators overlap, pivot to behavioral attributes. Connection status provides the necessary behavioral signal to separate expected traffic from attack traffic and supports faster, more accurate incident response.