The correct answer issmall, periodic outbound connections to a rare destination. Beaconing is a hallmark of command-and-control (C2) communication, particularly in stealthy malware campaigns.

Attackers design C2 channels to:

Minimize bandwidth usage

Blend into normal traffic

Avoid triggering threshold-based alerts

As a result, beaconing traffic often consists oflow-volume, regular intervalsconnecting to the same external destination. Cisco Secure Network Analytics is purpose-built to detect this type ofbehavioral anomalyusing NetFlow and telemetry analysis.

Option A suggests data exfiltration rather than beaconing. Option B is too broad and unspecific. Option D relates to denial-of-service or scanning activity, not C2.

This hunting technique aligns withMITRE ATT&CK – Command and Controland is explicitly covered in theCBRTHD blueprintunder network-based threat hunting. Detecting beaconing behavior forces attackers to significantly alter their communication strategy, increasing their operational cost.

Therefore,Option Cis the correct and Cisco-aligned answer.