300-220 Exam Dumps - Cisco Certified Specialist - Threat Hunting and Defending Questions and Answers

The correct answer isUse Deep Packet Inspection (DPI) to block malicious domains. The key detail in this scenario is that the endpoint is makingcontinuous outbound TCP connections to a known Command-and-Control (C2) server over port 80, which strongly indicates active malware beaconing or payload retrieval.

Deep Packet Inspection enables security controls—such as next-generation firewalls or network security analytics platforms—to inspectapplication-layer content, including HTTP headers, URLs, domains, and payload characteristics. This allows defenders to block C2 communicationbased on domain names, URL patterns, or behavioral signatures, even if attackers change IP addresses. Since C2 infrastructure is frequently rotated, IP-based blocking alone is insufficient for long-term mitigation.

Option A (browser extension deny list) may help prevent a specific initial infection vector, but it does not addresspost-compromise C2 traffic, especially if malware communicates independently of the browser. Option B (antivirus quarantine) is reactive and limited by signature coverage; modern malware often evades AV detection. Option D (IDS) can detect similar connections but typically does notblocktraffic unless integrated with an IPS or firewall, making it less effective for mitigation.

From a professional threat hunting and SOC standpoint, blocking C2 communication at thenetwork layer using DPIis a high-impact defensive control. It disrupts attacker command channels, prevents data exfiltration, and buys time for endpoint remediation and forensic investigation.

This aligns withMITRE ATT&CK – Command and Control (TA0011)mitigation strategies and reflects a mature security posture:detect at the endpoint, disrupt at the network. Therefore, optionCis the most effective action to mitigate similar connections in the future.

The correct answer isAttack trees. Attack trees are uniquely suited for modelingmulti-step adversary behavior, which is essential when analyzing complex attack chains such as account takeover followed by data exfiltration.

Attack trees begin with ahigh-level attacker goal(for example, “Exfiltrate customer data”) and then break that goal into multiple branches representing different paths an attacker could take. These paths can include credential compromise, API abuse, privilege escalation, lateral movement, and persistence. This structure mirrors how real adversaries think and operate.

Option A (STRIDE) is useful for identifying broad threat categories—such as spoofing, tampering, or information disclosure—but it does not naturally capturesequential attack paths. Option B (CVSS) focuses on vulnerability severity scoring, not adversary behavior. Option D (DREAD) assesses risk impact but does not visualize how attacks unfold across systems.

For threat hunters and defenders, attack trees provide ashared mental modelbetween architects, SOC teams, and red teams. They directly inform detection engineering by highlightingcritical choke pointswhere attacker behavior must occur, such as token abuse, API enumeration, or anomalous role assumption in cloud environments.

In modern cloud security, where breaches often involvemultiple low-severity issues chained together, attack trees offer far greater strategic value than component-by-component analysis. They also align closely withMITRE ATT&CK mapping, enabling defenders to translate threat models into actionable hunts.

Thus, optionCis the most appropriate and professionally validated answer.

The correct answer isdocument findings and operationalize detections. In Cisco’s threat hunting methodology, confirmation of malicious activity isnot the end of the hunt.

The most critical next step is to:

Document attacker behavior

Identify detection gaps

Create or improve SIEM, EDR, or NDR detection rules

This ensures the organization does not repeatedly rediscover the same threat. Options C and D are incident response and communication activities, not threat hunting lifecycle steps. Option A skips the crucial improvement phase.

TheCBRTHD blueprintstrongly emphasizes:

Continuous improvement

Feedback loops

Detection engineering

By operationalizing findings, the SOC increases maturity and forces adversaries to change tactics.

Therefore,Option Bis correct.

The correct answer ismapping trust relationships between identity systems. Hybrid identity environments introduce complex trust boundaries that attackers routinely exploit.

Modern breaches increasingly involveidentity pivoting, where attackers compromise a cloud identity and abuse synchronization, federation, or conditional access misconfigurations to escalate into on-prem Active Directory. These attack paths often do not rely on software vulnerabilities at all.

Option A is too narrow and focuses only on technical exploits. Option C measures severity but does not model movement. Option D analyzes traffic but does not explain privilege escalation pathways.

By mapping trust relationships—such as Azure AD Connect synchronization, service principals, hybrid admin roles, and conditional access exclusions—defenders can identifychained attack pathsthat enable privilege escalation without exploiting code.

From a threat hunting standpoint, this modeling enables:

Hypothesis-driven hunts

Detection of abnormal role assumptions

Visibility into identity abuse

This approach aligns withattack path modeling, a critical evolution of traditional threat modeling for identity-centric environments. Therefore, optionBis correct.

The correct answer isdocumenting findings and updating detection logic. Threat hunting delivers long-term value only when discoveries are operationalized.

Options A and B are necessary incident response actions but do not improve future detection. Option D delays remediation and risks further damage.

Within theCBRTHD threat hunting lifecycle, confirmed malicious activity should result in:

Detailed documentation of attacker techniques

Identification of detection gaps

Creation or refinement of SIEM, EDR, or NDR rules

This process ensures that similar behavior will be detected automatically in the future, reducing reliance on manual hunts. It also increases organizational maturity by institutionalizing knowledge.

Cisco emphasizes this feedback loop as a core principle of effective threat hunting. Without it, SOC teams repeatedly rediscover the same threats.

Thus,Option Cis the correct and professionally validated answer.

The correct answer isearlier detection of attacks before data exfiltration. This outcome directly translates toreduced business impact, which is the ultimate goal of threat hunting.

Alert volume (Option A) and false-positive reduction (Option B) measure operational efficiency, not security effectiveness. Option D measures spending, not outcomes.

Early detection:

Reduces dwell time

Prevents data loss

Limits operational disruption

Increases attacker cost

Cisco’sCBRTHD blueprintemphasizes outcome-driven security metrics, with early detection being one of the strongest indicators of threat hunting maturity.

Therefore,Option Cis the correct and executive-level answer.

The correct answer isTransitioning from reactive to proactive threat hunting to identify unknown threats and vulnerabilities. This directly aligns with both theThreat Hunting Maturity Modeland the strategic goals of thePyramid of Pain, which emphasizes increasing the adversary’s cost by detecting behaviors and tactics rather than easily changeable indicators.

Reactive security operations focus on alerts, signatures, and known indicators such as hashes, IP addresses, and domains—the lowest and least painful levels of the Pyramid of Pain. While necessary, these controls are easily bypassed by sophisticated adversaries. Proactive threat hunting represents a higher maturity level, where analysts actively search forunknown, stealthy, or novel attacker behaviorsthat have not yet triggered alerts.

Option D (automating detection of known threats) improves efficiency but does not meaningfully increase adversary pain, as attackers can rapidly change known indicators. Option B provides preparedness benefits but does not directly shift detection capabilities. Option A focuses on compliance, which is necessary for governance but largely irrelevant to adversary behavior.

By transitioning to proactive hunting, organizations focus onTTP-based detection, such as credential misuse patterns, abnormal lateral movement, persistence mechanisms, and command-and-control behaviors. These detections operate higher in the Pyramid of Pain—tactics, techniques, and procedures—forcing attackers to significantly retool and increasing the likelihood of early detection.

From a CISO-level perspective, this shift reflects mature security leadership:compliance keeps you legal, automation keeps you efficient, but proactive threat hunting keeps you resilient against advanced threats.

The correct answer isC. Modifying this key requires administrative privileges, which the malware might not have.

The exhibit shows persistence established under the registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This registry key is aper-user startup location, meaning any executable listed there will automatically run whenthat specific userlogs in. Crucially,write access to HKEY_CURRENT_USER (HKCU) does not require administrative privileges—only the privileges of the compromised user account.

In contrast,

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

appliessystem-wideand causes programs to execute at startup forall users. However, modifying this key requireslocal administrator privileges. In many real-world breaches, attackers initially compromisestandard user accounts, not administrators. As a result, malware often chooses HKCU-based persistence mechanisms because they arereliable, stealthy, and achievable without privilege escalation.

Options A and D are incorrect because both registry paths are fully supported in modern versions of Windows and are explicitly designed for startup execution. Option B is incorrect because neither key automatically removes entries after a reboot—both are persistent by design.

From a threat hunting and endpoint detection perspective, this distinction is critical. HKCU persistence indicates:

User-level compromise

No confirmed administrative access (yet)

Potential precursor to privilege escalation attempts

This technique maps toMITRE ATT&CK – Persistence: Boot or Logon Autostart Execution (T1547.001). Mature SOC teams monitorboth HKCU and HKLM Run keys, but they interpret them differently when reconstructing attacker capability and progression.

In summary, the attacker usedHKCUbecause it enables persistencewithout requiring administrative privileges, makingOption Cthe correct and professionally accurate answer.