Cisco 300-220 Exam With Confidence Using Practice Dumps

The correct next action is tosubmit the file for sandboxing. In professional security operations and threat hunting workflows, sandboxing is the most appropriate step when a file originates from an untrusted source and hash-based reputation checks return anunknownresult. An unknown hash means the file has not yet been classified as benign or malicious by threat intelligence databases, which is common with newly created malware or targeted attacks.

Sandboxing allows the security team to performdynamic analysisby executing the file in an isolated, controlled environment. This process observes runtime behaviors such as process creation, registry modification, network communications, command-and-control callbacks, file system changes, and exploit attempts. These behaviors provide high-fidelity indicators that static analysis or hash lookups cannot reveal.

Option B, reviewing the directory path, is useful for contextual awareness but does not determine whether the file is malicious. Option C, running a full malware scan, is premature; modern malware often evades signature-based scans, especially when the file is previously unknown. Option D, investigating the reputation of the website, is a supporting activity but does not assess the actual behavior or payload of the downloaded file.

From a threat hunting and incident response standpoint, sandboxing bridges the gap betweendetection and confirmation. If the sandbox analysis confirms malicious behavior, the team can escalate to containment actions such as isolating the endpoint, blocking hashes and domains, and performing scope analysis to identify other affected systems. Additionally, sandbox results can be used to create new SIEM detections and EDR behavioral rules, strengthening future defenses.

This approach aligns with professional best practices:unknown file + untrusted source = dynamic analysis first. It ensures accurate classification while minimizing unnecessary disruption to the user or environment.

The correct answer isAttack trees. Attack trees are uniquely suited for modelingmulti-step adversary behavior, which is essential when analyzing complex attack chains such as account takeover followed by data exfiltration.

Attack trees begin with ahigh-level attacker goal(for example, “Exfiltrate customer data”) and then break that goal into multiple branches representing different paths an attacker could take. These paths can include credential compromise, API abuse, privilege escalation, lateral movement, and persistence. This structure mirrors how real adversaries think and operate.

Option A (STRIDE) is useful for identifying broad threat categories—such as spoofing, tampering, or information disclosure—but it does not naturally capturesequential attack paths. Option B (CVSS) focuses on vulnerability severity scoring, not adversary behavior. Option D (DREAD) assesses risk impact but does not visualize how attacks unfold across systems.

For threat hunters and defenders, attack trees provide ashared mental modelbetween architects, SOC teams, and red teams. They directly inform detection engineering by highlightingcritical choke pointswhere attacker behavior must occur, such as token abuse, API enumeration, or anomalous role assumption in cloud environments.

In modern cloud security, where breaches often involvemultiple low-severity issues chained together, attack trees offer far greater strategic value than component-by-component analysis. They also align closely withMITRE ATT&CK mapping, enabling defenders to translate threat models into actionable hunts.

Thus, optionCis the most appropriate and professionally validated answer.

The correct answer isendpoint memory access telemetry. Credential dumping often involves accessing sensitive memory regions, such as LSASS, rather than deploying obvious malware.

Modern attackers frequently use:

Legitimate tools

In-memory techniques

Living-off-the-land binaries

These methods bypass file-based detection entirely. Email, DNS, and firewall logs provide limited visibility into memory-level abuse.

Endpoint memory telemetry enables detection of:

Unauthorized LSASS access

Suspicious handle requests

Abnormal process injection

This telemetry is foundational for detectingcredential access techniquesin modern environments. Therefore, optionBis correct.