The correct answer ismonitoring NetFlow records for abnormal beaconing patterns. Cisco Secure Network Analytics is fundamentally abehavioral analytics platform, not a signature-based detection tool.
Advanced adversaries deliberately avoid known malicious infrastructure to bypass traditional IOC-based defenses. As a result, IP addresses, domains, and threat intelligence feeds (Options A and D) provide limited long-term value and sit at thelowest levels of the Pyramid of Pain.
Stealthwatch excels at detectingbehavioral anomalies in network traffic, particularly:
Regular, low-volume outbound connections
Consistent timing intervals (beaconing)
Rare destination communication
Protocol misuse over common ports (80/443)
These patterns are characteristic ofC2 traffic, even when encryption and legitimate cloud services are used. By analyzingNetFlow telemetry, analysts can detect C2 behavior without needing to know the destination in advance.
Firewall logs (Option C) are reactive and lack behavioral context. They also miss allowed traffic, which is where most stealthy C2 operates.
This hunting technique aligns directly withCBRTHD blueprint objectivesrelated to:
Network-based threat hunting
Detecting command-and-control communications
Moving detection higher on the Pyramid of Pain
Therefore,Option Bis the most effective and Cisco-aligned answer.
