Free Cisco 300-220 Practice Exam with Questions & Answers

The correct answer isCollect and process intelligence and data. In this scenario, theinitial threat hunting phaseoccurred when the SOC team received the alert and began analyzing SIEM logs to validate whether the activity was legitimate or malicious. This aligns directly with the first phase of the threat hunting lifecycle, which focuses on gathering, normalizing, and analyzing security-relevant data.

Threat hunting is a structured, hypothesis-driven process, but it always begins withdata collection and intelligence processing. This includes ingesting logs from identity providers, authentication systems, cloud platforms, VPNs, and endpoint telemetry into a SIEM. In this case, the alert regarding a sign-in from an unusual country triggered analysts to examine historical login patterns and geolocation data. By confirming that the user had never authenticated from that country, the team established that the event was anomalous and likely malicious.

Option B (Response and resolution) occurredafterthe initial phase, when the IT administrator reset the user’s password to contain the threat. Option C (Hypothesis) would involve formulating a theory such as “the account may be compromised due to credential theft,” but this step requires validated data first. Option D (Post-incident review) only happens after the incident has been fully resolved and lessons learned are documented.

From a professional cybersecurity operations perspective, this phase is critical becausehigh-quality data determines hunt effectiveness. Poor log coverage or incomplete identity telemetry would prevent analysts from confidently confirming the anomaly. This example also highlights why identity-related telemetry is foundational to modern threat hunting—compromised credentials remain one of the most common initial access vectors.

In short, before a SOC can hypothesize, respond, or improve controls, it must firstcollect and process accurate intelligence and data, making option A the correct answer.

The correct answer isit reveals operational discipline and intent. Attribution relies heavily on understandinghow attackers think and operate, not just the tools they use.

Operational discipline—such as careful reconnaissance, avoiding noisy exploitation, and operating during business hours—is ahuman behavioral pattern. These patterns are far more stable than infrastructure or malware and often correlate strongly with specific threat actor groups.

Option A and D focus on tooling, which changes frequently. Option B relates to persistence, not attribution.

Threat intelligence professionals use operational characteristics to distinguish between opportunistic criminals and advanced adversaries. Business-hour activity, careful lateral movement, and deliberate escalation often indicatetargeted intrusions, espionage, or financially motivated but sophisticated actors.

This information helps analysts align observed behavior with known threat actor profiles, improving attribution confidence. Thus, optionCis correct.

The correct answer isSimple. The exhibit shows an EDR query filtering onspecific IPv4 addresses, which are classicIndicators of Compromise (IOCs). Within thePyramid of Painmodel, IP addresses sit at thelowest level, representing the least painful indicators for adversaries to change.

The Pyramid of Pain categorizes detection indicators by how costly they are for attackers to replace:

Simple→ Hashes, IP addresses, domain names

Easy→ Network artifacts (URI patterns, user-agent strings)

Challenging→ Host artifacts (registry keys, file paths, mutexes)

Tough→ Tactics, Techniques, and Procedures (TTPs)

In this scenario, the threat-hunting team is querying EDR telemetry for outbound connections toknown C2 IP addresses. While this is a valid and common detection technique—especially for rapid containment—it provides minimal long-term defensive value. Attackers can easily rotate C2 infrastructure by changing IPs, using cloud hosting, fast-flux DNS, or proxy networks.

Option C (Easy) would apply if the team were hunting fornetwork artifacts, such as suspicious URI paths or protocol misuse. Option B (Challenging) would involvehost-based artifacts, like malware persistence keys or file system changes. Option A (Tough) represents the highest maturity—detectingadversary behavior and techniques, such as beaconing patterns, lateral movement workflows, or credential abuse—none of which are present here.

From a professional threat-hunting standpoint, IP-based detections are best used asshort-term controlsfor blocking known threats or scoping an incident. Mature organizations use them as a starting point, then pivot toward higher-fidelity detections that sit higher on the Pyramid of Pain and impose greater operational cost on attackers.

In summary, querying known C2IP addressescorresponds to theSimplelevel of the Pyramid of Pain, makingOption Dthe correct answer.

The correct answer isreduction in attacker dwell time. Dwell time measures how long an attacker remains undetected in the environment.

As threat hunting maturity increases:

Detection becomes faster

Behavioral coverage improves

Attackers are identified earlier in the kill chain

Metrics such as alert volume or blocked IPs (Options A and D) do not reflect effectiveness and may even indicate excessive noise. Option B measures inputs, not outcomes.

Cisco’sCBRTHD blueprintfocuses onoutcomes, not activity. Reduced dwell time demonstrates:

Effective hunting

Better visibility

Stronger detection engineering

This metric directly correlates with reduced breach impact and improved resilience.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isdocumenting findings and updating detection logic. This represents thepost-hunt operationalization phase, which is critical for long-term security improvement.

While options A and C are necessary response actions, they address only thecurrent incident. Threat hunting’s strategic value comes from transforming discoveries intorepeatable detections, playbooks, and controls.

Professional threat hunting programs ensure that:

Successful hunts produce new SIEM rules

Detection gaps are closed

Findings are documented for future analysts

Lessons learned inform security architecture decisions

Option D continues exploration but fails to institutionalize knowledge. Without operationalizing results, organizations repeatedly rediscover the same threats.

This phase directly increases maturity in theThreat Hunting Maturity Model, shifting organizations from hero-driven hunting to scalable, resilient detection. It also moves defendersup the Pyramid of Pain, forcing adversaries to change tactics rather than indicators.

Therefore, optionBis the correct and most strategically important answer.

The correct answer islegitimate system processes executing encoded commands. Fileless malware avoids writing binaries to disk and instead abuses trusted processes such as PowerShell, WMI, or rundll32.

Encoded or obfuscated commands executed by legitimate binaries are a strong indicator offileless execution and defense evasion. Cisco Secure Endpoint provides deep visibility into command-line arguments and process behavior, enabling detection of this technique.

Option A is normal behavior. Option B may indicate suspicious execution but still involves files. Option D relies on file presence, which fileless attacks intentionally avoid.

This technique aligns withMITRE ATT&CK – Command and Scripting Interpreter and Defense Evasionand is directly relevant toCBRTHD exam objectivesrelated to endpoint-based threat hunting.

Therefore,Option Cis the correct answer.

The correct answer isit reveals consistent attacker tradecraft across incidents. Attribution relies onbehavioral consistency, not on malware samples or exploits.

Avoiding malware and abusing legitimate tools (living-off-the-land techniques) reflects adeliberate operational strategy. These behaviors tend to remain consistent across campaigns and are frequently documented in threat intelligence profiles.

Options A and D are incorrect because no exploit or ransomware is involved. Option B is incorrect; living-off-the-land techniques are modern, not outdated.

Cisco-aligned threat hunting emphasizesMITRE ATT&CK mappingand behavioral analysis to support attribution efforts. This approach is far more reliable than artifact-based attribution.

Thus,Option Cis the correct answer.

Thepass-the-hash (PtH)technique is classified underCredential Accessin the MITRE ATT&CK framework. Specifically, it aligns with theCredential Access tactic (TA0006)and the techniqueUse Alternate Authentication Material (T1550), sub-techniquePass the Hash (T1550.002). This classification is based on the attacker’s primary objective: abusing stolen credential material—in this case, NTLM password hashes—to authenticate to systems without knowing the actual plaintext password.

From a professional cybersecurity and threat hunting perspective, PtH exploits weaknesses in how Windows authentication mechanisms handle credential storage and reuse. When users authenticate to a system, password hashes may be cached in memory or stored in places such as LSASS (Local Security Authority Subsystem Service). If an attacker gains administrative or SYSTEM-level access to a host, they can extract these hashes and reuse them to authenticate to other systems across the environment.

Although pass-the-hash isoften observed during lateral movement, MITRE intentionally classifies it underCredential Accessbecause the defining action is thetheft and misuse of credential material, not the movement itself. Lateral movement is a downstream outcome enabled by the stolen credentials, but the core technique is about accessing and abusing authentication secrets.

This distinction is important for threat hunters and detection engineers. When hunting for PtH activity, defenders focus on indicators such as abnormal NTLM authentication events, logons using NTLM where Kerberos is expected, reuse of the same hash across multiple systems, and suspicious access to LSASS memory. Endpoint telemetry, Windows Security Event Logs (e.g., Event IDs 4624 and 4672), and EDR memory access alerts are commonly used data sources.

Understanding PtH as acredential access techniquehelps security teams prioritize protections such as credential guard, LSASS hardening, disabling NTLM where possible, enforcing least privilege, and monitoring authentication anomalies. This classification also reinforces a core professional principle:identity is the new perimeter, and protecting credential material is foundational to modern threat hunting and defense.

The correct answer isdocument findings and create permanent detections. While containment actions are necessary, they areincident response tasks, not threat hunting outcomes.

Cisco’s threat hunting lifecycle emphasizes that once malicious behavior is confirmed, teams must:

Document attacker techniques

Identify detection gaps

Convert findings into automated detections

Options A and B are tactical responses that address the current incident but do not prevent recurrence. Option D delays improvement and increases risk.

Operationalizing hunt findings ensures:

Repeated attacker behavior is detected automatically

Future dwell time is reduced

SOC maturity increases

This step directly aligns with theCBRTHD blueprint’s focus on continuous improvement and feedback loopsbetween hunting and monitoring.

Therefore,Option Cis the correct answer.

The correct answer isendpoint process execution and memory access events. During thedata collection and processing phase, the goal is to gatherhigh-fidelity telemetrythat supports hypothesis validation.

Credential harvesting often occurswithout dropping malwareand instead relies on:

Memory scraping

LSASS access

Credential dumping tools

In-memory execution

Cisco Secure Endpoint provides deep visibility into:

Process creation and parent-child relationships

Memory access attempts

Privilege abuse

Fileless execution

Option A provides enrichment but not raw behavioral evidence. Option C supports context but does not replace endpoint telemetry. Option D is reactive and unreliable for structured hunts.

Within theCBRTHD threat hunting lifecycle, this phase emphasizesevidence over indicators. Without endpoint execution and memory telemetry, hunters cannot reliably confirm credential access techniques.

This aligns withMITRE ATT&CK Credential Accesstactics and Cisco’s emphasis onendpoint behavioral analytics.

Thus,Option Bis the correct answer.