Can we build a comprehensive cyber hunt kit with ICS/SCADA based-tools, that is all or mostly open-source to effectively hunt on ICS/SCADA networks with the lowest risk to the mission partner and the highest success to the team?
The traditional CVA/H kit is not designed with ICS/SCADA or sensitive systems in mind. It does not have equipment to passively map the network or the parsers for the specialized protocols in place. There are a number of open-source tools that are effective, but could be combined for a comprehensive kit and knowledge dashboards/playbooks targeting known adversary TTPs in the ICS environment that make their actions stand out from the normal traffic.