EDWARDS AIR FORCE BASE, Calif. -- A sophisticated readiness exercise tested Edwards Air Force Base ability to counter complex and coordinated attacks, involving both digital and physical threats, March 30 to April 3.
"We have an obligation to provide our members and mission partners with the most realistic training possible; this means conducting mission rehearsals, not just exercises," Lt. Col. Matthew Frebert, 412th Communications Squadron commander, said. "We must continually ask ourselves, 'Are we training for how we fight as closely as we possibly can?' This is how we strengthen our posture, agility, and adaptability to become 'future-proof' against evolving threats."
The simulation began when the 412th Communications Squadron sent an email to all base personnel—military, civilian and contractors— warning of a wage garnishment. The deceptive message appeared to be from the Defense Finance and Accounting Service and directed recipients to a password-protected PDF, requiring them to click an external link to retrieve the password.
While some personnel clicked the link, several vigilant members reported the email to the Research, Development, Test, and Evaluation Defensive Cyber Operations Response Element.
"The moment the first suspicious email was reported, our REDCORE analysts went on high alert, scouring the network for any sign of intrusion. It wasn't long before they found a cluster of anomalous devices attempting to connect from unrecognized points of entry. The pattern and timing of the connections immediately suggested this was no isolated event, but a well-orchestrated attack unfolding in real-time," Michael Cook, 412th CS deputy director, said.
Airmen 1st Class Elijah Hubble and Owen Gettings, 412th Communications Squadron, prepare to deploy flyaway kits during a readiness exercise at Edwards Air Force Base, California, April 2. The kits are portable servers that enable immediate operations in remote or tactical environments following a cyberattack. (U.S. Air Force photo by Giancarlo Casem)
The situation escalated when an employee, exhibiting signs of an insider threat, initiated a physical attack on the installation. It was later revealed that this individual had used his/her legitimate credentials to enable the initial cyber-attack, creating a convergence of digital and physical threats.
“Warning signs that an employee could become an insider threat include behavioral changes like emotional outbursts, workplace disagreements and social withdrawal. Other indicators are expressing feelings of being treated unfairly, justifying rule violations, criticizing the government or supporting U.S. adversaries,” Christine Dingman, 412th Test Wing Inside Threat Program manager, said.
A multi-agency response was immediately activated. The 412th Security Forces Squadron, Air Force Office of Special Investigations, 412th Range Squadron, 412th Civil Engineer Group and REDCORE worked simultaneously to counter the free-flowing threat. The goal was not only to neutralize the physical attack and counter the digital breach but also to test internal communication and resource management under pressure.
“Cyber plays an integral role in force protection. The indication of cyber hostilities in this rehearsal generated ground tasking orders to deepen our physical defense in depth. The collective teamwork between the Communications and Security Forces Squadrons fed the base threat working group and allowed patrols to respond aggressively towards the physical threat caused by this situation,” Capt. Alexander Johnson, 412th Security Forces Squadron director of operations said.
REDCORE performed host and network forensics to trace the simulated attacker's digital footprint, feeding critical intelligence to defenders from the 412th SFS, OSI and 412th RS operating in the field. Concurrently, the 412th CEG worked to ensure the installation's infrastructure remained secure and operational throughout the siege.
"The 412th CEG is constantly monitoring all utility and facility support systems across the installation," said Francisco Badiano, 412th CEG deputy director. "In scenarios like this exercise, if something doesn’t look right, we deploy our assessment and repair teams at a moment’s notice. We work closely with trained facility managers who are ready to secure their sites and report anomalies to ensure mission continuity."
The successful exercise validated the base's defense strategies and provided valuable lessons for countering modern security challenges.
"In today's fight, it’s critical to safeguard both the physical and cyber domain. This mission rehearsal proves our ability to ensure operational continuity with our mission partners, revealing potential shortfalls, and practicing incident response and recovery for ‘when’ not ‘if’ breeches occur. We ensure the network will never be the limiting factor, ensuring the 412th Test Wing executes its vital mission: Sharpening American Airpower," Frebert said.