Troubleshooting Network Issues for United States Cyber Command

Congratulations! You have been hired as a junior network administrator the?United States Cyber Command.?You are a part of the National Mission Team and that team has been requested for a critical assignment. Soon, your team will deploy to help cyber forces operating out of an undisclosed location.? ?

All you know?now?is that there are issues with the network the teams on site need help with troubleshooting.?The team is depending on your advice and guidance.?

Read the email from the chief of operations to get started.

We arrived on site one week ago to prepare for persistent cyber engagement and to defend forward. Two days before the start of our operations, we noticed problems with the network. We must be operational within the next 48 hours, and we need your help. 

1. On Day 2 of full operational capability (FOC), our connection to the internet was becoming intermittent. We could establish connections to our globally hosted servers some of the time. The connection would drop at seemingly random periods and we don't know why. We have experienced this day and night, and it has been consistent for the past three days. 

2. When our connection to the internet is working, we seemingly cannot reach out to our globally dispersed servers from our hosts. We use the globally dispersed servers for command and control and must be able to connect to them. We need a method to determine where the packets are going and why they are not reaching their destination. Because these servers are globally distributed, we can't just pick up and deploy to them.  

3. Our internal network servers are also spotty. Sometimes they are up, and sometimes they are down. For example, the DHCP server appears to provide IP addresses to hosts that are turned on sometimes, but other times when the host is turned on, it receives an Automatic Private IP Address (APIPA). These hosts can communicate with our networked hosts locally, but they can't reach out to our global servers. These hosts enable our persistent engagement capability, so they must be functional, and we need to determine the problem ASAP! 

4. We have a team that can troubleshoot from afar, but they are located 25 miles west of this location. We have one of their tech support personnel deployed on site, but there are just too many issues for one person. The support team that is 25 miles west is centrally located to support multiple operational outfits. That team has a virtual private network (VPN) and secure access to our internal servers. At times, support team members need to determine which of our hosts are functioning. We use both Microsoft Windows and Linux operating systems, but we don't know what tool will help determine host functionality from afar. 

5. This next part is classified, but I need your help, and I need it fast. Bottom line, we believe there may be an insider threat. At times, we have reason to believe a nonapproved device is connecting to the network and reaching out to the internet. We need a method to determine what devices exist on the same subnet of our network. What can help us do that? 

6. When we begin operations in 72 hours, it will be of utmost importance for us to know what device name is associated with what IP address. This will allow us to know what exists internally and what we need to defend should the adversary begin operations against us. We need to understand what options exist to achieve this task.

7. When we first arrived and established our connection to the internet, we noticed inbound connection requests. What tool can we use to determine if any adversary is reaching into our systems through a particular port or protocol?