An information security analyst observes anomalous behavior on the SCADA devices in a power plant.
This behavior results in the industrial generators overheating and destabilizing the power supply.
Which of the following would BEST identify potential indicators of compromise?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The correct answer would be B. Use tcpdump to capture packets from the SCADA device IP.
The reason for this is that the other options are not effective for identifying potential indicators of compromise in this scenario.
Option A suggests using Burp Suite to capture packets to the SCADA device's IP. However, Burp Suite is primarily used for web application security testing, and may not be effective in capturing packets from SCADA devices.
Option C suggests using Wireshark to capture packets between SCADA devices and the management system. While this may be useful in some scenarios, it does not specifically target the SCADA device that is exhibiting anomalous behavior.
Option D suggests using Nmap to capture packets from the management system to the SCADA devices. Nmap is a port scanner and network exploration tool, and is not specifically designed for packet capture. Additionally, this option does not address the issue of anomalous behavior on the SCADA devices themselves.
Therefore, option B is the most appropriate answer as it directly targets the SCADA device that is exhibiting anomalous behavior, allowing for the capture of packets that may contain indicators of compromise. Tcpdump is a command-line tool for packet capture and analysis that is commonly used in network troubleshooting and security analysis. With tcpdump, the analyst can capture all traffic to and from the specific IP address of the SCADA device that is exhibiting anomalous behavior, which can then be analyzed to identify any potential indicators of compromise.