CertsOut Cisco-300-220 Dumps

Text Material Preview

Conducting Threat
Hunting and Defending
using Cisco
Technologies for
Cybersecurity 300-220
CBRTHD
Version: Demo
[ Total Questions: 10]
Web: www.certsout.com
Email: support@certsout.com
Cisco
300-220
https://www.certsout.com
https://www.certsout.com/300-220-test.html
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any 
suggestions, please feel free to contact us at feedback@certsout.com
Support
If you have any questions about our product, please provide the following items:
exam code
screenshot of the question
login id/email
please contact us at and our technical experts will provide support within 24 hours.support@certsout.com
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized 
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Cisco - 300-220Certs Exam
1 of 11Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
Category Breakdown
Category Number of Questions
Threat Hunting Outcomes 1
Threat Modeling Techniques 1
Threat Hunting Fundamentals 4
Threat Actor Attribution Techniques 1
Threat Hunting Processes 3
TOTAL 10
Question #:1 - [Threat Hunting Outcomes]
A SOC leadership team wants to demonstrate the business value of investing in Cisco-based threat hunting 
capabilities. Which outcome BEST demonstrates that value?
Increase in alerts generated by security tools
Reduction in false positives across the SOC
Earlier detection of attacks before data exfiltration
Growth in threat intelligence subscriptions
Answer: C
Explanation
The correct answer is . This outcome directly translates toearlier detection of attacks before data exfiltration
, which is the ultimate goal of threat hunting.reduced business impact
Alert volume (Option A) and false-positive reduction (Option B) measure operational efficiency, not security 
effectiveness. Option D measures spending, not outcomes.
Early detection:
Reduces dwell time
Prevents data loss
Limits operational disruption
Increases attacker cost
Cisco’s emphasizes outcome-driven security metrics, with early detection being one of CBRTHD blueprint
the strongest indicators of threat hunting maturity.
Therefore, is the correct and executive-level answer.Option C
Cisco - 300-220Certs Exam
2 of 11Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
Question #:2 - [Threat Modeling Techniques]
A security architect is designing a threat model for a multi-tier cloud application that includes public APIs, 
backend microservices, and an identity provider. The goal is to identify how an attacker could chain multiple 
weaknesses together to achieve account takeover and data exfiltration. Which threat modeling technique is 
MOST appropriate?
STRIDE analysis to enumerate threat categories per component
CVSS scoring to prioritize vulnerabilities by severity
Attack trees to model adversary objectives and paths
DREAD scoring to assess impact and exploitability
Answer: C
Explanation
The correct answer is . Attack trees are uniquely suited for modelingAttack trees multi-step adversary 
, which is essential when analyzing complex attack chains such as account takeover followed by data behavior
exfiltration.
Attack trees begin with a (for example, “Exfiltrate customer data”) and then break high-level attacker goal
that goal into multiple branches representing different paths an attacker could take. These paths can include 
credential compromise, API abuse, privilege escalation, lateral movement, and persistence. This structure 
mirrors how real adversaries think and operate.
Option A (STRIDE) is useful for identifying broad threat categories—such as spoofing, tampering, or 
information disclosure—but it does not naturally capture . Option B (CVSS) focuses sequential attack paths
on vulnerability severity scoring, not adversary behavior. Option D (DREAD) assesses risk impact but does 
not visualize how attacks unfold across systems.
For threat hunters and defenders, attack trees provide a between architects, SOC teams, shared mental model
and red teams. They directly inform detection engineering by highlighting where attacker critical choke points
behavior must occur, such as token abuse, API enumeration, or anomalous role assumption in cloud 
environments.
In modern cloud security, where breaches often involve , attack multiple low-severity issues chained together
trees offer far greater strategic value than component-by-component analysis. They also align closely with
, enabling defenders to translate threat models into actionable hunts.MITRE ATT&CK mapping
Thus, option is the most appropriate and professionally validated answer.C
Question #:3 - [Threat Hunting Fundamentals]
Refer to the exhibit.
Cisco - 300-220Certs Exam
3 of 11Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
The cybersecurity team at a company detects an ongoing attack directed at the web server that hosts the 
company website. The team analyzes the logs of the web application firewall and discovers several HTTP 
requests encoded in Base64. The team decodes the payloads and retrieves the HTTP requests. What did the 
attackers use to exploit the server?
Unicode encoding
SQL injection
directory traversal
cross-site scripting (XSS)
Answer: B
Explanation
The correct answer is SQL injection. The decoded HTTP request shown in the exhibit contains multiple 
unmistakable indicators of a SQL injection attack, including the use of SQL keywords and functions such as 
SELECT, CASE, SUBSTRING, ASCII, BIN, and conditional SLEEP() statements. These elements are 
characteristic of time-based blind SQL injection, a technique attackers use to extract database information 
when direct query results are not visible.
From a professional cybersecurity perspective, the presence of expressions like:
SELECT (CASE WHEN … THEN SLEEP(x))
SUBSTRING(password,1,1)
ASCII() and binary conversions
indicates that the attacker is probing the backend database character by character and using response timing to 
infer whether conditions are true or false. This is a well-known exploitation method used when error messages 
or query output are suppressed by the application.
The use of Base64 encoding does not represent the attack itself but rather an obfuscation technique to evade 
basic web application firewall (WAF) signatures and logging visibility. Encoding payloads allows attackers to 
bypass simple pattern-matching defenses, but once decoded, the underlying SQL injection becomes evident.
Option A (Unicode encoding) is incorrect because Unicode is commonly used for evasion, not exploitation. 
Option C (directory traversal) typically involves sequences like ../ to access filesystem paths, which are not 
present. Option D (XSS) targets client-side script execution and would include JavaScript payloads rather 
than database-focused logic.
Cisco - 300-220Certs Exam
4 of 11Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
According to the MITRE ATT&CK framework, this activity maps to Initial Access – Exploit Public-Facing 
Application (T1190). SQL injection remains one of the most exploited vulnerabilities in public-facing 
applications due to poor input validation and insecure coding practices.
For threat hunters and defenders, this scenario reinforces the importance of deep payload inspection, decoding 
obfuscated requests, monitoring for anomalous database query behavior, and enforcing secure development 
practices such as parameterized queries and input sanitization. SQL injection continues to be a high-impact, 
real-world attack vector despite being well understood, making it a critical focus area in web application 
threat hunting.
Question #:4 - [Threat Hunting Fundamentals]
According to the MITRE ATT&CK framework, how is the password spraying technique classified?
Privilege escalation
Initial access
Lateral movement
Credentialaccess
Answer: D
Explanation
The correct answer is . In the MITRE ATT&CK framework, is Credential Access password spraying
classified under the , specifically techniqueCredential Access tactic (TA0006) T1110.003 – Password 
. This classification is based on the attacker’s primary objective: by Spraying gaining valid credentials
systematically attempting a small number of common or weak passwords across many user accounts.
Password spraying differs from brute-force attacks in that it intentionally avoids rapid or repeated attempts 
against a single account, thereby evading account lockout controls and basic detection mechanisms. Instead, 
attackers “spray” one password (for example, or ) across a large number of users, Winter2025! Password123
exploiting the likelihood that at least one account will use that password.
Although successful password spraying often leads to , MITRE classifies it underinitial access Credential 
because the technique’s defining action is the , not the system entry itself. Access acquisition of credentials
Initial access is the outcome, while credential theft is the method. This distinction is critical for threat hunters, 
as it guides where detections and controls should be focused.
From a professional threat hunting perspective, defenders monitor authentication telemetry such as failed and 
successful logins across identity providers, VPNs, cloud services, and email platforms. Indicators include 
multiple authentication failures across many accounts from a single source IP, followed by one or more 
successful logins. Identity-centric logging and anomaly detection are foundational here, reinforcing the 
principle that .identity is the primary attack surface in modern environments
Understanding password spraying as a credential access technique helps organizations prioritize protections 
such as strong password policies, MFA enforcement, adaptive authentication, and detection logic tuned for 
low-and-slow authentication abuse.
Cisco - 300-220Certs Exam
5 of 11Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
A. 
B. 
Question #:5 - [Threat Actor Attribution Techniques]
During an investigation, analysts observe that attackers consistently avoid PowerShell logging, disable AMSI, 
and prefer WMI for execution. Why is this information critical for attribution?
It identifies the malware family used
It reveals the attacker’s IP infrastructure
It reflects the attacker’s operational preferences
It confirms the exploit used for initial access
Answer: C
Explanation
The correct answer is . Attribution relies on understandingit reflects the attacker’s operational preferences
, not just what tools they use.how attackers operate
Operational preferences—such as avoiding PowerShell logging, disabling AMSI, and favoring WMI—are
. These patterns often persist across campaigns and are documented in threat behavioral signatures
intelligence reports associated with specific adversaries.
Option A is incorrect because malware families change frequently. Option B is unreliable due to infrastructure 
rotation. Option D is unrelated to post-access tradecraft.
Professional attribution focuses on:
Execution methods
Defensive evasion choices
Tooling preferences
Workflow consistency
Mapping these behaviors to enables analysts to compare findings against MITRE ATT&CK techniques
known threat actor profiles. This provides higher confidence attribution than artifact-based indicators.
Thus, option is the correct answer.C
Question #:6 - [Threat Hunting Fundamentals]
What is the classification of the pass-the-hash technique according to the MITRE ATT&CK framework?
Lateral movement
Cisco - 300-220Certs Exam
6 of 11Pass with Valid Exam Questions Pool
B. 
C. 
D. 
A. 
B. 
C. 
D. 
Persistence
Credential access
Privilege escalation
Answer: C
Explanation
The technique is classified under in the MITRE ATT&CK framework. pass-the-hash (PtH) Credential Access
Specifically, it aligns with the and the techniqueCredential Access tactic (TA0006) Use Alternate 
, sub-technique . This classification is based on Authentication Material (T1550) Pass the Hash (T1550.002)
the attacker’s primary objective: abusing stolen credential material—in this case, NTLM password hashes—to 
authenticate to systems without knowing the actual plaintext password.
From a professional cybersecurity and threat hunting perspective, PtH exploits weaknesses in how Windows 
authentication mechanisms handle credential storage and reuse. When users authenticate to a system, 
password hashes may be cached in memory or stored in places such as LSASS (Local Security Authority 
Subsystem Service). If an attacker gains administrative or SYSTEM-level access to a host, they can extract 
these hashes and reuse them to authenticate to other systems across the environment.
Although pass-the-hash is , MITRE intentionally classifies it underoften observed during lateral movement
because the defining action is the , not the Credential Access theft and misuse of credential material
movement itself. Lateral movement is a downstream outcome enabled by the stolen credentials, but the core 
technique is about accessing and abusing authentication secrets.
This distinction is important for threat hunters and detection engineers. When hunting for PtH activity, 
defenders focus on indicators such as abnormal NTLM authentication events, logons using NTLM where 
Kerberos is expected, reuse of the same hash across multiple systems, and suspicious access to LSASS 
memory. Endpoint telemetry, Windows Security Event Logs (e.g., Event IDs 4624 and 4672), and EDR 
memory access alerts are commonly used data sources.
Understanding PtH as a helps security teams prioritize protections such as credential access technique
credential guard, LSASS hardening, disabling NTLM where possible, enforcing least privilege, and 
monitoring authentication anomalies. This classification also reinforces a core professional principle:identity 
, and protecting credential material is foundational to modern threat hunting and defense.is the new perimeter
Question #:7 - [Threat Hunting Processes]
After completing a threat hunt that uncovered previously undetected credential abuse, the SOC wants to 
ensure long-term improvement in detection and response capabilities. Which action BEST represents the final 
and most critical phase of the threat hunting lifecycle?
Immediately blocking all related IP addresses
Documenting findings and updating detection logic
Resetting affected user credentials
Cisco - 300-220Certs Exam
7 of 11Pass with Valid Exam Questions Pool
D. 
A. 
B. 
C. 
D. 
Conducting additional unstructured hunts
Answer: B
Explanation
The correct answer is . This represents thedocumenting findings and updating detection logic post-hunt 
, which is critical for long-term security improvement.operationalization phase
While options A and C are necessary response actions, they address only the . Threat hunting’current incident
s strategic value comes from transforming discoveries into .repeatable detections, playbooks, and controls
Professional threat hunting programs ensure that:
Successful hunts produce new SIEM rules
Detection gaps are closed
Findings are documented for future analysts
Lessons learned inform security architecture decisions
Option D continues exploration but fails to institutionalize knowledge. Without operationalizing results, 
organizations repeatedly rediscover the same threats.
This phase directly increases maturity in the , shifting organizations from Threat Hunting Maturity Model
hero-driven hunting to scalable, resilient detection. It also moves defenders , forcing up the Pyramid of Pain
adversaries to change tactics rather than indicators.
Therefore, option is the correct and most strategically important answer.B
Question #:8 - [Threat Hunting Processes]
A SOC repeatedly discovers similar attacker behaviors during separate hunts, indicating recurring detection 
gaps.What process change MOST effectively prevents rediscovery of the same threats?
Increasing analyst staffing
Automating hunt execution
Converting hunt findings into permanent detections
Conducting more frequent unstructured hunts
Answer: C
Explanation
Cisco - 300-220Certs Exam
8 of 11Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
The correct answer is . Threat hunting is only effective converting hunt findings into permanent detections
when discoveries are .operationalized
Without converting findings into SIEM, EDR, or NDR detections, organizations repeatedly identify the same 
attacker behaviors, wasting time and resources. Options A, B, and D improve capacity but do not eliminate 
blind spots.
Mature threat hunting programs ensure that:
Hunts produce detection rules
Alerts are tuned and validated
Knowledge is institutionalized
This is a defining trait of and directly improves resilience. Therefore, high-maturity security organizations
option is correct.C
Question #:9 - [Threat Hunting Processes]
A threat hunter is performing a structured hunt using telemetry to identify Cisco Secure Endpoint (AMP)
credential harvesting activity. Which data source is MOST critical during thedata collection and processing 
of the hunt?phase
File reputation scores from Talos
Endpoint process execution and memory access events
Threat intelligence reports from external vendors
User-reported suspicious activity
Answer: B
Explanation
The correct answer is . During theendpoint process execution and memory access events data collection 
, the goal is to gather that supports hypothesis validation.and processing phase high-fidelity telemetry
Credential harvesting often occurs and instead relies on:without dropping malware
Memory scraping
LSASS access
Credential dumping tools
In-memory execution
Cisco - 300-220Certs Exam
9 of 11Pass with Valid Exam Questions Pool
Cisco Secure Endpoint provides deep visibility into:
Process creation and parent-child relationships
Memory access attempts
Privilege abuse
Fileless execution
Option A provides enrichment but not raw behavioral evidence. Option C supports context but does not 
replace endpoint telemetry. Option D is reactive and unreliable for structured hunts.
Within the , this phase emphasizes . Without CBRTHD threat hunting lifecycle evidence over indicators
endpoint execution and memory telemetry, hunters cannot reliably confirm credential access techniques.
This aligns with tactics and Cisco’s emphasis onMITRE ATT&CK Credential Access endpoint behavioral 
.analytics
Thus, is the correct answer.Option B
Question #:10 - [Threat Hunting Fundamentals]
Refer to the exhibit.
Cisco - 300-220Certs Exam
10 of 11Pass with Valid Exam Questions Pool
A. 
B. 
C. 
D. 
An increase in company traffic is observed by the SOC team. After they investigate the spike, it is concluded 
that the increase is due to ongoing scanning activity. Further analysis reveals that an adversary used Nmap for 
OS fingerprinting. Which type of indicators used by the adversary sits highest on the Pyramid of Pain?
UDPs
port probes
network/host artifacts
IP addresses
Answer: C
Cisco - 300-220Certs Exam
11 of 11Pass with Valid Exam Questions Pool
Explanation
The correct answer is . To understand why, it is important to map the observed Network/host artifacts
attacker behavior to the , a model that ranks indicators by how difficult they are for Pyramid of Pain
adversaries to change once detected.
In this scenario, the adversary is using , which involves sending carefully crafted Nmap OS fingerprinting
packets and analyzing responses (TCP/IP stack behavior, TTL values, window sizes, flags, and timing 
characteristics). These behaviors leave behind , such as distinctive scan patterns, network and host artifacts
abnormal TCP flag combinations, OS fingerprinting probes, and consistent tool-specific traffic signatures.
On the Pyramid of Pain:
IP addresses (D)sit at the very bottom. Attackers can trivially change IPs using VPNs, proxies, or 
botnets.
Port probes (B)and represent low-level indicators that are also easy to modify. An attacker UDPs (A)
can change scan ports, protocols, or scan timing with minimal effort.
Network/host artifacts (C)sit significantly higher. These include tool-generated behaviors, protocol 
anomalies, OS fingerprinting patterns, and scan logic inherent to tools like Nmap. Changing these 
requires attackers to reconfigure tools, write custom scanners, or significantly alter their operational 
approach.
From a threat hunting and SOC maturity perspective, detecting and alerting onnetwork and host artifacts
forces attackers to expend more time and resources, increasing their operational cost. This aligns with the core 
objective of the Pyramid of Pain:maximize adversary pain by detecting behaviors, not easily replaceable 
.indicators
Professionally mature SOC teams focus on identifying scanning techniques (e.g., Nmap OS detection, TCP 
ACK probes, UDP probes) rather than blocking individual IPs. These detections are resilient, scalable, and 
effective against both commodity attackers and advanced adversaries.
In short, while IPs and ports are useful for short-term containment,network and host artifacts provide the 
, making the correct answer.highest-value indicators in this scenario C
About certsout.com
certsout.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam 
Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially 
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
 
 
 
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses 
listed below.
Sales: sales@certsout.com
Feedback: feedback@certsout.com
Support: support@certsout.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24 
hours.
https://www.certsout.com
https://www.certsout.com/vendors.html
https://www.certsout.com/Apple-Practice-Test.html
https://www.certsout.com/Cisco-Practice-Test.html
https://www.certsout.com/Citrix-Practice-Test.html
https://www.certsout.com/CompTIA-Practice-Test.html
https://www.certsout.com/EMC-Practice-Test.html
https://www.certsout.com/ISC-Practice-Test.html
https://www.certsout.com/IBM-Practice-Test.html
https://www.certsout.com/Juniper-Practice-Test.html
https://www.certsout.com/Microsoft-Practice-Test.html
https://www.certsout.com/Oracle-Practice-Test.html
https://www.certsout.com/Symantec-Practice-Test.html
https://www.certsout.com/VMware-Practice-Test.html
mailto:sales@certsout.com
mailto:feedback@certsout.com
mailto:support@certsout.com