A cybersecurity analyst noticed unexpected communication between an internal host and an external IP address, which is not part of the organization's typical traffic patterns. The communication occurs at consistent intervals and the volume of data being sent is substantial. Which tool should the analyst employ to gather evidence that could indicate a compromise and facilitate a deeper investigation?
Deploy an endpoint detection and response (EDR) solution to monitor the behavior of the internal host.
Utilize tcpdump to capture and analyze the suspicious network traffic.
Run a vulnerability scanner on the involved host and the network to detect any existing security gaps.
Review the firewall rules to discern any misconfigurations allowing the said traffic.
A packet capture tool such as tcpdump is essential for examining raw network traffic to identify the nature of the data being transmitted to the external IP address. By capturing the incoming and outgoing packets, the analyst can determine if the pattern corresponds to known malicious activities, such as command and control (C&C) communications, and identify any data exfiltration. Using a vulnerability scanner would typically identify vulnerabilities rather than analyze ongoing traffic for indicators of compromise. Reviewing firewall rules is a preventive step that could potentially stop such traffic but would not analyze it directly for evidence of compromise, and EDR tools are generally focused on endpoint monitoring and would not analyze network traffic at the packet level.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is tcpdump and how does it work?
Open an interactive chat with Bash
What are indicators of compromise (IOCs) and why are they important?
Open an interactive chat with Bash
What is command and control (C&C) communication in cybersecurity?