The correct answer isdetecting abnormal authentication behavior across VPN and cloud access. This outcome targetsbehavioral detection, which sits significantly higher on the Pyramid of Pain than static indicators.
Options A and C rely on domains and hashes, which attackers can trivially change. Option D is a response action, not a hunting outcome.
Credential misuse is one of themost common initial access vectors, especially in cloud and remote-access environments. Detecting abnormal authentication behavior—such as:
Impossible travel
Unusual login times
Excessive failed logins
Geographic anomalies
forces attackers tochange how they operate, not just what infrastructure they use.
Cisco tools such as:
Secure Network Analytics
Secure Endpoint
Secure Firewall
Identity telemetry via VPN and SSO
enable this higher-fidelity detection approach. This aligns directly withCBRTHD blueprint objectivesfocused onidentity-based threat hunting.
Therefore,Option Bis correct.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit