Module 2.6 — IR Playbook: Deepfake-Suspected Incident
50-minute lecture · Day 2 afternoon · Lab follows
Learning objectives
By end of this module, students can:
- Execute the first 30 minutes of IR for a deepfake-suspected incident: preserve audio/video artifacts, freeze the source channel, OOB-verify with the impersonated party, hold financial transactions
- Cite the regulatory notification timelines for: US FinCEN SAR (with
FIN-2024-DEEPFAKEFRAUDkeyword), EU NIS2/DORA (24h early warning, 4h DORA classification, 72h full report), UK FCA (without undue delay), Singapore MAS (3h from discovery) - Coordinate transaction reversal windows: FBI IC3 RAT filing (golden hour first 4 hours, viable 0-48h), SWIFT R-message/MT192 (optimal within 24h, drops sharply after 48h), Hold Harmless Agreement submission (parallel to IC3)
- Apply forensic preservation discipline (multi-algorithm hashing, native-container preservation, metadata extraction, immutable chain-of-custody) suitable for insurance/litigation
The first 30 minutes
When a deepfake-suspected incident is reported, the SOC has a small window to take actions that materially change the outcome. The playbook for the first 30 minutes:
Minute 0-5: Triage and triage decision
- Receiver of report (typically a finance employee, IT helpdesk, or executive assistant) escalates to SOC with: timestamp of suspect call/email/video, channel used, requested action, source phone/email/account
- SOC opens an incident ticket and assigns severity. A wire-transfer request through a non-standard channel from an executive is automatically P1 until proven otherwise.
Minute 5-10: Preserve artifacts
- Audio: if the suspect call was recorded (voicemail, call-recording system), pull the raw audio file. Compute SHA-256 hash immediately. Store in evidence locker.
- Video: if a video call, pull the recording or any saved screenshots. Hash. Preserve native container (do not transcode — pixel-level artifacts and codec metadata are destroyed by re-encoding).
- Email/chat: preserve in original format. Forward as attachment, not inline. Pull headers.
- Metadata: run
exiftoolor equivalent against any media files to extract embedded metadata (creation software, encoder version, original timestamps, GPS if present).
Minute 10-15: Freeze the channel
- If the source was a WhatsApp number: block at the corporate-device MDM level; do not engage further
- If the source was an email address: block at the gateway; rotate any keys/passwords that were referenced in the suspect message
- If the source was a Slack DM: revoke any external-guest access used; alert Slack admin
- If the suspect call referenced specific account numbers or transaction details: flag those for transaction-monitoring escalation
Minute 15-20: Out-of-band verification with the impersonated party
- Contact the actually-impersonated executive (or vendor, depending on the case) through a known-trusted channel — corporate phone, in-person, internal Slack with verified identity, etc.
- Confirm: did you make this request? If yes, this may not be a deepfake (occasional false positive). If no, the incident is confirmed.
Minute 20-30: Financial holds
- If any financial action has been initiated (wire transfer submitted, payment authorized), contact the treasury/wire desk immediately
- Request hold on the transaction if still in the wire system
- If already executed, this is when the FBI IC3 RAT and SWIFT recall windows become time-critical (see below)
Regulatory notification timelines
The applicable notification regime depends on jurisdiction and incident type. Major windows the SOC should know:
US — FinCEN SAR
- Applicable when: financial institution observes suspicious activity matching deepfake-fraud patterns
- Threshold: $5,000 for most institutions; $2,000 for money services businesses (MSBs)
- Deadline: 30 days from determination (standard); shorter for ongoing investigations
- Tagging: field 2 (“Filing Institution’s Note to FinCEN”) must include the keyword
FIN-2024-DEEPFAKEFRAUDper FinCEN Alert FIN-2024-Alert004 (Nov 13, 2024) - Nine specific red-flag indicators from the alert should be referenced in the SAR narrative
US — State breach notifications (NY SHIELD, CA SB 446, etc.)
- Applicable when: unauthorized access to biometric data (voiceprints, facial likenesses) occurred or is suspected
- NY SHIELD Act amendments specifically include biometric data
- Deadline: 30 days from discovery (varies by state)
- Notify: affected individuals + state attorney general (above thresholds)
EU — NIS2 (broad ICT incidents)
- Applicable when: major ICT incident with significant operational impact
- Early warning: 24 hours
- Initial classification: per DORA (financial services): 4 hours
- Full report: 72 hours
EU — DORA (financial sector)
- Applicable when: major ICT-related incident affecting a financial entity
- 4 hours from classification to initial notification
- Major-incident criteria (DORA Article 18): impact on critical functions, geographical scope, duration, etc.
UK — FCA Principle 11
- Applicable when: material incident causing intolerable harm to consumers or market integrity
- Deadline: “without undue delay” — interpreted as same-day or next-business-day for serious incidents
- Format: depends on firm size and supervisory relationship
Singapore — MAS Notice 644
- Applicable when: relevant incident affecting critical systems or significant fraud
- Deadline: 3 hours from discovery
- Notification: MAS-specified format
The detection engineer’s job: pre-build the notification trigger logic in your SIEM so that the right SAR/regulatory-notification queue is auto-populated when the incident-type criteria are met. Manual translation of “we have an incident” → “what notifications do we need to file” is too slow when the shortest window is 3 hours.
Transaction reversal coordination
If financial harm has occurred, the SOC’s job pivots from prevention to recovery. The viable channels and their windows:
FBI IC3 Recovery Asset Team (RAT)
- What it does: files a formal asset-freeze request through the FBI to receiving banks
- Window: “Golden hour” is the first 4 hours after the fraudulent transfer; viable up to 48 hours
- Effectiveness: in domestic wires under the golden-hour window, IC3 RAT has documented success rates of ~70% asset recovery; drops dramatically after 24 hours
- Filing channel: ic3.gov complaint form + direct contact with FBI field office for high-value cases
SWIFT R-message (MT192) or recall
- What it does: instructs the originating bank to send a recall message through SWIFT to the receiving bank
- Window: optimal within 24 hours; success drops sharply after 48h; near-zero after 72h
- Filing channel: through your treasury function to the originating bank
- Caveat: SWIFT recalls require the receiving bank’s cooperation, which depends on jurisdiction and bank relationship
Hold Harmless Agreement
- What it does: allows the receiving bank to freeze/reverse funds without liability to the receiving customer
- Timing: file in parallel with IC3 RAT and SWIFT recall — not sequential
- Channel: through your bank’s relationship manager; bank submits to receiving bank
The integrated recovery playbook the SOC runs in parallel during hour 1-4 post-incident:
Hour 0-1: IR triage, preserve artifacts, freeze channels, OOB-verify
Hour 1-2: File IC3 RAT, initiate SWIFT R-message, prepare Hold Harmless
Hour 2-4: Coordinate with receiving bank (via your bank's relationship)
Hour 4-24: Continue follow-up; transition to formal SAR filing track
Hour 24+: Insurance claim notification, legal coordination, post-mortemForensic preservation discipline
For incidents that may proceed to insurance claim, litigation, or criminal investigation, the artifact preservation steps must satisfy chain-of-custody requirements:
Step 1: Multi-algorithm hashing
Compute SHA-256 and MD5 hashes of every preserved artifact immediately upon acquisition. Store the hashes in an immutable log. This establishes a digital fingerprint that pre-empts later “the file was tampered with” claims.
Step 2: Native container preservation
Do NOT transcode media before analysis. Deepfake detection algorithms rely on pixel-level artifacts and codec-specific noise patterns that are destroyed by re-encoding. Preserve in the original container format (MP4, MOV, WAV) with the original codec.
Step 3: Metadata and provenance extraction
Run exiftool (or equivalent) against the artifact. Capture: creation software identifier, encoder version, frame rate, container metadata, any GPS coordinates, any embedded camera/device identifiers. This often reveals AI tool signatures (FFmpeg pipelines, model tags) and stream-timestamp inconsistencies.
Step 4: Immutable chain of custody
Document who accessed the artifact, when, with what tool, for what purpose. Use write-once storage where available. Insurance claims and litigation outcomes depend heavily on whether chain-of-custody can be demonstrated.
Step 5: C2PA verification if applicable
If the artifact has a C2PA manifest, verify it per Module 2.3’s pipeline. Record the verification result in the evidence log alongside the hashes.
Documented playbook references
Two organizations have published deepfake-suspected-incident playbooks the SOC can adapt:
- FS-ISAC — “Deepfakes and Generative AI: Responding to Synthetic Media” — financial-sector-specific guidance from the Financial Services Information Sharing and Analysis Center
- Monetary Authority of Singapore (MAS) — “Information Paper on Deepfakes” (2025) — includes a security incident management section
Both documents are worth pulling for any SOC building or updating its deepfake IR playbook. The detection engineer should adapt these — they’re starting points, not drop-in solutions.
The post-incident phase
Once acute response is complete (typically within 72 hours), the SOC owns several follow-on activities:
- Post-mortem: what specifically allowed this incident to reach the action stage? Which controls fired (or should have fired)? What workflow-gap or artifact-detection signal was absent?
- Detection-rule update: if the workflow-gap rule from Module 2.4 didn’t catch this, either the rule didn’t exist, the data source wasn’t ingested, or the threshold was wrong. Update accordingly.
- Lessons-learned communication: to the rest of the org. The Ferrari case is taught at MIT Sloan because Ferrari published it. Internal sharing of near-misses (with appropriate confidentiality) builds organizational defense.
- Regulatory follow-through: the formal SAR, the NIS2 full report, the FCA submission — these all have longer deadlines than the initial notifications. Track them.
- Insurance-claim coordination: with hashes, chain-of-custody, and the artifact preservation work from earlier, the claim file is much stronger.
Discussion questions (~10 min)
- Your org discovers a deepfake-driven wire transfer of $2.4M at 6:00 PM on a Friday. Walk through the next 24 hours — which actions are time-critical (IC3 RAT? SWIFT recall? FinCEN SAR? state breach notification?), and what does the calendar look like through Monday morning?
- The FinCEN keyword
FIN-2024-DEEPFAKEFRAUDmust be in field 2 of the SAR. Why does FinCEN want this tag specifically? What does the SOC learn from the aggregate of these tagged SARs (i.e., what reporting does FinCEN publish back)? - You preserve a suspect audio file with SHA-256 hash and native-container format. The defense attorney later argues the audio detector misclassified the audio. What additional artifacts would you want preserved at the time of acquisition to address this challenge?
Common mistakes
| Mistake | Better approach |
|---|---|
| Transcoding audio/video for “easier analysis” | Preserve native container; transcode a copy for analysis if needed |
| Manual SAR-keyword tracking | Encode the FinCEN keyword logic in the SIEM-to-SAR pipeline so the keyword auto-populates |
| Treating IC3 RAT as a slow process | Golden hour is 4 hours; have the RAT submission ready as part of incident response, not as a separate workflow |
| Skipping chain-of-custody for “small” incidents | Every preserved artifact gets chain-of-custody. Investigations and litigation can resurface incidents months later. |
| Filing notifications sequentially | NIS2 + DORA + state breach + FinCEN all run in parallel; the 3-hour MAS clock + 4-hour DORA clock + 24-hour NIS2 clock are concurrent |
Closing Day 2
Day 2 has covered:
- Arup HK$200M anchor case (2.1) — the canonical incident, follow-on cases, FBI IC3 numbers
- Audio detection (2.2) — AASIST family, current open-source models, working pipeline with heuristic fallback, known evasions
- Video detection + C2PA (2.3) — why detection is harder than audio, C2PA adoption snapshot, working verifier, liveness techniques
- Vishing kill chain + workflow-gap SIEM rule (2.4) — the durable detection that catches what artifact-level detection misses
- Synthetic identity (2.5) — KYC enrollment, vendor onboarding, executive impersonation; vendor disclosures from Onfido/Jumio/Persona
- IR playbook (2.6) — first 30 minutes, notification timelines, transaction reversal coordination, forensic preservation
The architectural insight running through every module: artifact-level detection is necessary but insufficient. The workflow-gap detection — the absence of expected out-of-band verification — is the durable signal that survives as adversary tradecraft evolves.
Day 3 takes this insight to a different threat class: LLM-authored malware and prompt-injection campaigns against enterprise copilots. The detector’s stack evolves but the workflow-gap principle holds.