Cisco Certified Specialist – Threat Hunting and Defending (300-220) CBRTHD Exam Guide
Cisco Certified Specialist – Network Security Firepower (300-710) SNCF Exam Guide
Conducting Threat Hunting and Defending using Cisco Technologies for CyberOps v1.0 (300-220)
Exam Overview: The Conducting Threat Hunting and Defending using Cisco Technologies for CyberOps v1.0 (CBRTHD 300-220) exam is a 90-minute test associated with the CyberOps Professional Certification. It validates a candidate’s expertise in threat hunting and defense, covering areas like threat modeling, threat actor attribution, hunting techniques, processes, and outcomes. The related course helps candidates prepare for this exam.
The topics listed are general guidelines for potential exam content, though other relevant subjects may also appear. These guidelines may change at any time without notice to ensure they accurately reflect the exam’s content.
1.0 Threat Hunting Fundamentals
1.1 Apply the Threat Hunting Maturity Model to assess organizational capabilities related to the Pyramid of Pain, which highlights the difficulty of disrupting various indicators of compromise.
1.2 Describe and model threats using standards like MITRE ATT&CK, CAPEC, TaHiTI, and PASTA to understand adversary behavior and strategies.
1.3 Discuss the limitations of detection tools in identifying malware behavior, its spread, and detection challenges.
1.4 Evaluate the pros and cons of using automation, such as AI and machine learning, within a Security Operations Center (SOC) for efficiency and effectiveness.
1.5 Identify differences in tactics, techniques, and procedures (TTPs) of advanced persistent threats versus other threat actors through log analysis.
1.6 Analyze a threat intelligence report to infer characteristics of a threat actor, focusing on:
- 1.6.a Tactics: Strategies employed by the threat actor.
- 1.6.b Techniques: Methods used to achieve their goals.
- 1.6.c Procedures: Specific steps taken during attacks.
2.0 Threat Modeling Techniques
2.1 Choose the appropriate threat modeling approach for different scenarios to identify potential risks.
2.2 Utilize MITRE ATT&CK to model threats, focusing on TTPs and any changes in these areas.
2.3 Explain the purposes of structured and unstructured threat hunting in different contexts.
2.4 Prioritize attacks using the Cyber Kill Chain and MITRE ATT&CK frameworks to understand their severity and impact.
2.5 Use the MITRE CAPEC model to determine the priority level of different attack types.
2.6 Handle threat intelligence effectively, including gathering, cataloging, utilizing, and eventually removing outdated information.
3.0 Threat Actor Attribution Techniques
3.1 Use logs to determine the TTPs of attackers for accurate attribution.
3.2 Interpret the TTPs associated with specific threat actors for better understanding and response.
3.3 Identify methods that differentiate between authorized assessments and real attacks, such as those from penetration testers versus threat actors.
3.4 Identify artifacts that can detect advanced persistent threat actors at all levels of the Pyramid of Pain, focusing on:
- 3.4.a Tactics
- 3.4.b Techniques
- 3.4.c Procedures
4.0 Threat Hunting Techniques
4.1 Utilize scripting languages like Python and PowerShell to enhance detection capabilities and analytics.
4.2 Conduct threat hunting specifically within cloud environments to identify potential risks.
4.3 Use endpoint artifacts to uncover threats that may have gone undetected.
4.4 Analyze C2 (command and control) communications from infected hosts through endpoint data.
4.5 Identify suspicious activities using data from network sessions and protocols.
4.6 Determine the infection stage by analyzing C2 traffic data.
4.7 Use code-level analysis tools to find weaknesses in code, such as PE Checker, BURP Suite, and SEM Grep.
4.8 Discuss the analysis of applications and operating systems used by IoT devices to identify vulnerabilities.
4.9 Describe memory-resident attacks and use tools like Volatility for in-depth memory analysis.
4.10 Create a detection signature to identify or analyze threats effectively.
4.11 Assess the likelihood of an attack occurring via specific vectors in a given environment.
5.0 Threat Hunting Processes
5.1 Outline the process for identifying memory-resident attacks within a system.
5.2 Use reverse engineering to detect compromises and understand malicious code.
5.3 Identify detection gaps, including:
- 5.3.a Vulnerabilities
- 5.3.b Configuration errors
- 5.3.c Threats
5.4 Interpret data from memory-specific tools to uncover hidden threats.
5.5 Develop a runbook or playbook for addressing specific detectable scenarios.
5.6 Recommend appropriate tools, configurations, and techniques for detection and deception in various scenarios.
5.7 Suggest remediation strategies based on the outcomes of threat assessments.
5.8 Propose changes to enhance the effectiveness and efficiency of threat hunting operations.
5.9 Recommend countermeasures and mitigations to address identified security risks.
6.0 Threat Hunting Outcomes
6.1 Explain how integrating multiple products enhances data visibility and speeds up analysis.
6.2 Diagnose analytical gaps using established threat hunting methodologies.
6.3 Suggest strategies to block C2 traffic effectively.
6.4 Recommend improvements in hunting capabilities to advance in the Threat Hunting Maturity Model.
6.5 Propose changes to detection methodologies to address analytical and process gaps.
6.6 Utilize presentation resources to convey findings and drive changes in the environment effectively.
Responses