Cisco 300-220 Dumps Questions Answers

The correct answer isConnection status. In this scenario, the key challenge for the security team is differentiatinglegitimate outbound trafficfrommalicious or DDoS-related trafficoriginating from the same web server. Since both types of traffic coexist in the logs, analysts must rely on an attribute that meaningfully distinguishes normal behavior from abnormal patterns.

The exhibit shows numerous TCP connections from the web server to many different external IP addresses, with varyingTCP statessuch as ESTABLISHED, TIME_WAIT, and FIN_WAIT. These connection states are highly valuable for threat hunting and network analysis. During DDoS activity—especially reflected or amplification-style attacks, or when a server is abused as part of an attack—connections often remain half-open, rapidly transition to TIME_WAIT, or fail to fully establish. In contrast, legitimate web traffic typically results in stable, short-lived ESTABLISHED sessions that follow predictable patterns.

Option B (destination port) is not useful here because most web traffic—both legitimate and malicious—commonly uses ports 80 or 443. Option C (IP address of the web server) provides no filtering value because all traffic already originates from that server. Option D (protocol) is also ineffective, as both normal and DDoS traffic in this case use TCP.

From a professional SOC and threat hunting standpoint,connection state analysisis a foundational technique for detecting volumetric attacks, beaconing behavior, and abnormal session churn. By filtering logs based on connection status, analysts can quickly isolate suspicious patterns such as excessive short-lived connections, abnormal teardown behavior, or asymmetric session states that are characteristic of DDoS-related activity.

This approach aligns with mature threat hunting practices:when indicators overlap, pivot to behavioral attributes. Connection status provides the necessary behavioral signal to separate expected traffic from attack traffic and supports faster, more accurate incident response.

The correct answer isreduction in attacker dwell time. Dwell time measures how long an attacker remains undetected in the environment.

As threat hunting maturity increases:

Detection becomes faster

Behavioral coverage improves

Attackers are identified earlier in the kill chain

Metrics such as alert volume or blocked IPs (Options A and D) do not reflect effectiveness and may even indicate excessive noise. Option B measures inputs, not outcomes.

Cisco’sCBRTHD blueprintfocuses onoutcomes, not activity. Reduced dwell time demonstrates:

Effective hunting

Better visibility

Stronger detection engineering

This metric directly correlates with reduced breach impact and improved resilience.

Therefore,Option Cis the correct and Cisco-aligned answer.

The correct answer isit reveals consistent attacker tradecraft across incidents. Attribution relies onbehavioral consistency, not on malware samples or exploits.

Avoiding malware and abusing legitimate tools (living-off-the-land techniques) reflects adeliberate operational strategy. These behaviors tend to remain consistent across campaigns and are frequently documented in threat intelligence profiles.

Options A and D are incorrect because no exploit or ransomware is involved. Option B is incorrect; living-off-the-land techniques are modern, not outdated.

Cisco-aligned threat hunting emphasizesMITRE ATT&CK mappingand behavioral analysis to support attribution efforts. This approach is far more reliable than artifact-based attribution.

Thus,Option Cis the correct answer.