A cybersecurity analyst noticed unexpected communication between an internal host and an external IP address, which is not part of the organization's typical traffic patterns. The communication occurs at consistent intervals and the volume of data being sent is substantial. Which tool should the analyst employ to gather evidence that could indicate a compromise and facilitate a deeper investigation?
Run a vulnerability scanner on the involved host and the network to detect any existing security gaps.
Review the firewall rules to discern any misconfigurations allowing the said traffic.
Utilize tcpdump to capture and analyze the suspicious network traffic.
Deploy an endpoint detection and response (EDR) solution to monitor the behavior of the internal host.