300-220 Exam Dumps : Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD

The correct answer isCredential Access. In the MITRE ATT&CK framework,password sprayingis classified under theCredential Access tactic (TA0006), specifically techniqueT1110.003 – Password Spraying. This classification is based on the attacker’s primary objective:gaining valid credentialsby systematically attempting a small number of common or weak passwords across many user accounts.

Password spraying differs from brute-force attacks in that it intentionally avoids rapid or repeated attempts against a single account, thereby evading account lockout controls and basic detection mechanisms. Instead, attackers “spray” one password (for example,Winter2025!orPassword123) across a large number of users, exploiting the likelihood that at least one account will use that password.

Although successful password spraying often leads toinitial access, MITRE classifies it underCredential Accessbecause the technique’s defining action is theacquisition of credentials, not the system entry itself. Initial access is the outcome, while credential theft is the method. This distinction is critical for threat hunters, as it guides where detections and controls should be focused.

From a professional threat hunting perspective, defenders monitor authentication telemetry such as failed and successful logins across identity providers, VPNs, cloud services, and email platforms. Indicators include multiple authentication failures across many accounts from a single source IP, followed by one or more successful logins. Identity-centric logging and anomaly detection are foundational here, reinforcing the principle thatidentity is the primary attack surface in modern environments.

Understanding password spraying as a credential access technique helps organizations prioritize protections such as strong password policies, MFA enforcement, adaptive authentication, and detection logic tuned for low-and-slow authentication abuse.

The correct answer iscorrelating attacker behavior across multiple MITRE ATT&CK techniques. This approach focuses onbehavioral detection, which is the cornerstone of effective threat hunting and advanced security operations.

Attackers who abuse legitimate administrative tools—often referred to asliving-off-the-land techniques—intentionally avoid malware-based detections. File hashes, signatures, and known indicators provide minimal value because there may beno malicious files at all. Options A and D sit at the lowest levels of thePyramid of Pain, making them easy for adversaries to evade.

By correlating behavior across multiple ATT&CK techniques—such as credential access, lateral movement, privilege escalation, and command execution—defenders detecthowthe attacker operates rather thanwhat toolsthey use. This forces adversaries to fundamentally change tradecraft, which is costly, risky, and time-consuming.

Option C improves visibility but does not inherently raise attacker cost. Threat intelligence feeds are reactive and often lag behind active campaigns.

From a professional threat hunting perspective, correlating multiple low-signal behaviors into ahigh-confidence attack patternis how mature SOCs detect stealthy intrusions. This method also supports scalable detection engineering, improved alert fidelity, and reduced false positives.

This strategy directly aligns with higher tiers of theThreat Hunting Maturity Modeland the top of thePyramid of Pain, making optionBthe correct answer.

The correct answer isMonitoring failed AWS console login attempts. The Bash script shown in the exhibit is clearly designed toparse AWS CloudTrail logsand extract specific authentication-related events.

Breaking down the script behavior from a professional cloud security perspective:

gunzip -c *.json.gz indicates the script is processingcompressed CloudTrail log files, which are typically stored in .json.gz format.

jq -c '.Records[]' parses individual CloudTrail records, a common approach when analyzing AWS activity logs.

The filter conditions explicitly check for:

eventSource == "signin.amazonaws.com"

eventName == "ConsoleLogin"

responseElements.ConsoleLogin == "Failure"

These fields are definitive indicators offailed AWS Management Console login attempts. Additionally, the script extracts contextual fields such as:

Event time

Source IP address

Error message

AWS region

Username

MFA usage status

This data is exactly what security teams use to detectcredential abuse, password spraying, brute-force attempts, and compromised IAM accounts. Monitoring failed console logins is a foundational cloud threat hunting activity, especially for identifying early stages of account takeover.

Option B is incorrect because the script does not establish AWS CLI sessions or authenticate to accounts. Option C is incorrect because instance errors would involve services like ec2.amazonaws.com and different event names. Option D is incorrect because the script is analyzing—not archiving—records, and it applies filtering logic rather than storage or lifecycle management.

From a threat hunting and cloud security standpoint, this script supportsidentity-focused detection, which is critical in AWS environments where IAM misuse is one of the most common initial access vectors. It aligns withMITRE ATT&CK – Credential Access and Initial Access, particularly techniques involving valid account abuse.

In summary, the script’s clear purpose is tomonitor failed AWS console login attempts, makingOption Athe correct and professionally validated answer.