Cisco 300-220 Online Access

The correct answers areA. Service and version of the web serverandC. Technology used by the application. The error message shown in the exhibit is a classic example ofverbose error handling, which unintentionally discloses sensitive internal details about the web application stack.

First, the error page explicitly referencesApache Tomcat/6.0.16at the bottom. This directly exposes theweb server/service and its exact version, makingOption Acorrect. From an attacker’s perspective, this is valuable intelligence because it allows them to search forknown vulnerabilities, exploits, or misconfigurationsspecific to that version of Tomcat. Older versions of Tomcat, in particular, have a long history of publicly documented security flaws.

Second, the stack trace references components such as:

org.apache.jasper.compiler.*

.jsp files (e.g., /user/left.jsp)

javax.servlet.http.HttpServlet

These details clearly reveal thetechnology stack used by the application, namelyJava Server Pages (JSP)running onApache Tomcat with Apache Jasper. This confirmsOption Cas correct. Exposing application technology helps attackers tailor attacks such as deserialization exploits, JSP injection attempts, or framework-specific vulnerabilities.

Option B is incorrect because the error message doesnotstate or imply that Apache Jasper is vulnerable to path injection; it merely shows a compilation/runtime error. Option D is incorrect because the error page provides no information about theclient-side browser version—all disclosed details relate to server-side processing.

From a professional security and threat hunting perspective, verbose error messages significantlyincrease attack surface visibility. Best practices dictate that production systems should returngeneric error messagesto users while logging detailed stack traces internally. This scenario reinforces why proper error handling and information disclosure controls are critical defensive measures.

In summary, the penetration test error message exposes:

Theweb server service and version

Theapplication technology stack

Therefore, the correct answers areA and C.

The correct answer isanalyzing abnormal behavior patterns across identity, endpoint, and network telemetry. This approach represents the foundation of modern threat hunting and directly addresses adversaries who deliberately avoid traditional detections.

Advanced attackers increasingly rely onliving-off-the-land techniques, stolen credentials, and legitimate administrative tools such as PowerShell, WMI, RDP, and cloud APIs. These activities rarely generate malware signatures or known IOCs, making alert-driven and signature-based defenses insufficient. As a result, mature threat hunting programs shift focus towardbehavioral analysis and anomaly detection.

Option A and D rely on static indicators such as IPs, domains, and hashes. These sit at thelowest levels of the Pyramid of Painand are trivial for attackers to change. Option B is purely reactive and limited to known malware, offering little value against stealthy intrusions.

By correlating identity logs (authentication patterns, geolocation anomalies), endpoint telemetry (process execution, parent-child relationships), and network activity (unusual connections, lateral movement patterns), hunters can detectIndicators of Attack (IOAs)rather than waiting for confirmed compromise. This enables identification of credential misuse, privilege abuse, and lateral movement even when no malware is present.

This methodology aligns withMITRE ATT&CK TTP-based hunting, which focuses on tactics and techniques instead of tools or infrastructure. It also reflects a higher tier in theThreat Hunting Maturity Model, where organizations proactively search for unknown threats rather than responding to alerts.

In professional SOC environments, this shift dramatically increases detection coverage against advanced adversaries and reduces dwell time. Therefore, optionCis the most accurate and strategically sound answer.

The correct answer isMonitoring failed AWS console login attempts. The Bash script shown in the exhibit is clearly designed toparse AWS CloudTrail logsand extract specific authentication-related events.

Breaking down the script behavior from a professional cloud security perspective:

gunzip -c *.json.gz indicates the script is processingcompressed CloudTrail log files, which are typically stored in .json.gz format.

jq -c '.Records[]' parses individual CloudTrail records, a common approach when analyzing AWS activity logs.

The filter conditions explicitly check for:

eventSource == "signin.amazonaws.com"

eventName == "ConsoleLogin"

responseElements.ConsoleLogin == "Failure"

These fields are definitive indicators offailed AWS Management Console login attempts. Additionally, the script extracts contextual fields such as:

Event time

Source IP address

Error message

AWS region

Username

MFA usage status

This data is exactly what security teams use to detectcredential abuse, password spraying, brute-force attempts, and compromised IAM accounts. Monitoring failed console logins is a foundational cloud threat hunting activity, especially for identifying early stages of account takeover.

Option B is incorrect because the script does not establish AWS CLI sessions or authenticate to accounts. Option C is incorrect because instance errors would involve services like ec2.amazonaws.com and different event names. Option D is incorrect because the script is analyzing—not archiving—records, and it applies filtering logic rather than storage or lifecycle management.

From a threat hunting and cloud security standpoint, this script supportsidentity-focused detection, which is critical in AWS environments where IAM misuse is one of the most common initial access vectors. It aligns withMITRE ATT&CK – Credential Access and Initial Access, particularly techniques involving valid account abuse.

In summary, the script’s clear purpose is tomonitor failed AWS console login attempts, makingOption Athe correct and professionally validated answer.

The correct answer issmall, periodic outbound connections to a rare destination. Beaconing is a hallmark of command-and-control (C2) communication, particularly in stealthy malware campaigns.

Attackers design C2 channels to:

Minimize bandwidth usage

Blend into normal traffic

Avoid triggering threshold-based alerts

As a result, beaconing traffic often consists oflow-volume, regular intervalsconnecting to the same external destination. Cisco Secure Network Analytics is purpose-built to detect this type ofbehavioral anomalyusing NetFlow and telemetry analysis.

Option A suggests data exfiltration rather than beaconing. Option B is too broad and unspecific. Option D relates to denial-of-service or scanning activity, not C2.

This hunting technique aligns withMITRE ATT&CK – Command and Controland is explicitly covered in theCBRTHD blueprintunder network-based threat hunting. Detecting beaconing behavior forces attackers to significantly alter their communication strategy, increasing their operational cost.

Therefore,Option Cis the correct and Cisco-aligned answer.