Module 5.2 — Phases 1 and 2: Recon and Deepfake BEC
Day 5 capstone · Section 2 of 6
Phase 1 — AI-Driven Recon (1:15 hours, 100 pts max)
What students see
At 0:30 they receive their first inject: a SIEM digest covering the previous 72 hours containing 14 alerts spread across multiple sources (LinkedIn API monitoring, careers-page traffic analysis, public-cloud telemetry, mail gateway content analysis). The full alert pack is at ~/data/phase1_recon_alerts.json (Codex-generated, 14 records).
Among those 14 alerts:
-
10 are genuine PROMETHEUS-7 reconnaissance signals that, taken together, establish that:
- An external actor scraped Verdancy’s LinkedIn org chart over a ~36-hour window using anomalous Python-requests user agents and headless-browser fingerprints
- The same actor enumerated Verdancy’s careers page targeting senior finance roles
- An anomalous DNS resolution pattern shows server workloads making outbound resolutions to LLM API endpoints — adversary tooling running on infrastructure outside the org’s network
- Brenda Castillo (AP Director) is the highest-value target identified by the pattern: senior finance role, public LinkedIn presence with detailed background, recent appearance on a finance-process podcast
-
4 are decoys / unrelated noise that students should NOT chase:
- A scheduled vulnerability scan from the IT team
- Normal recruiter outreach to a senior engineering candidate
- A misconfigured cron job generating spurious DNS lookups
- A media-mention monitoring service crawling Verdancy’s PR pages
What students should do
- Cluster the alerts by source-IP and user-agent fingerprint (Day 1 Module 1.3 embedding-clustering or simpler keyword grouping)
- Identify the PROMETHEUS-7 cluster — same actor across LinkedIn scraping + careers-page enumeration + DNS anomalies
- Cross-reference with Day 4 adversary-agent telemetry rules — the DNS to LLM API endpoints from server workloads should fire the Day-4 Sigma rule pack
- Identify Brenda Castillo as the target based on the recon pattern
- Document findings in the timeline.csv deliverable with timestamps and correlation evidence
Scoring (Phase 1: 100 pts)
| Action | Points |
|---|---|
| Correctly identify all 10 genuine PROMETHEUS-7 alerts | +60 |
| Correctly identify Brenda Castillo as the targeted intermediary | +20 |
| Avoid wasted time investigating any of the 4 decoys | +10 |
| Correlation evidence in timeline.csv shows the recon pattern, not just isolated alerts | +10 |
| Penalty: false-positive — flag a decoy as PROMETHEUS-7 | -5 each |
Instructor pacing for Phase 1
- Quick-win opportunity: strong students will spot the LLM-API DNS pattern within 15 minutes if they look there first. Hint sequence if needed: “Look at user-agent entropy and timing on the careers page” → “What’s making outbound calls to api.openai.com from a server workload?”
- Stuck-state intervention (35 minutes in): if a student is investigating only one alert source, redirect with “Are these alerts in different sources or the same actor across different signals?”
- Time pressure: at 1:30, announce “15 minutes remaining in Phase 1, document what you have” — pushes students to commit findings rather than continuing to investigate
- Phase 1 ends at 1:45 regardless of completion. Whatever is in timeline.csv is what gets scored.
Why these signals exist in the alert pack
Each genuine alert represents a real-world recon pattern from the 2024-2026 incident corpus:
- LinkedIn API scraping anomalies — match the FAMOUS CHOLLIMA pattern (Day 1 Module 1.1) and the GTG-1002 reconnaissance phase (Day 4 Module 4.1)
- Careers-page enumeration — match the Bargury Living off Microsoft Copilot CopilotHunter pattern (Day 3 Module 3.4)
- Server-workload LLM API resolution — match Day 4 Module 4.2 adversary-agent telemetry signatures
- Mail-gateway AI-generated phishing precursors — match Day 1 Module 1.5 stylometric clustering
This is the integration test for Days 1, 3, and 4 in compressed form.
Phase 2 — Deepfake Voice BEC (1:15 hours, 100 pts max)
What students see
At 2:00 the phase starts. At 2:05 an inject arrives: an email forwarded from Brenda Castillo (the AP Director identified in Phase 1) to the SOC, with the subject “FW: weird CFO call this morning.” The forward includes:
- A voicemail attachment (audio file, ~45 seconds)
- A “vendor-onboarding-emergency.pdf” attachment that Brenda hesitated to process
- Brenda’s note: “CFO sounded off, wanted urgent vendor change. Marking this for security review before I process.”
The audio file is a deepfake voice clone of Verdancy’s actual CFO (Lisa Park) requesting an urgent vendor-account-change in confidential terms.
What students should do
- Compute SHA-256 hash of both attachments immediately and preserve to evidence locker
- Run the audio detector (Day 2 Module 2.2 working pipeline) against the voicemail
- Critical moment: the audio detector returns confidence 0.61 (below the default 0.7 threshold). Students who blindly trust the threshold conclude “audio is real” and miss the deepfake.
- Apply Day-2 workflow-gap detection — the Sigma rule from Module 2.4. There was no out-of-band verification event for the proposed vendor change. The workflow gap is high-fidelity even when the audio detector misses.
- Forensicate the PDF — should reveal embedded prompt-injection content designed to corrupt downstream automated processing (preview of Phase 3)
- Contain Brenda’s endpoint (isolate from corporate network) and rotate her credentials
- Notify legal of suspected attempted financial fraud
- Submit hold on any pending payments to vendor accounts not on the verified-vendor list
Scoring (Phase 2: 100 pts)
| Action | Points |
|---|---|
| Correctly identify the audio as a deepfake (regardless of detector threshold) | +30 |
| Apply workflow-gap detection that catches the missing OOB verification | +25 |
| Detect the embedded prompt-injection content in the PDF | +20 |
| Contain Brenda’s endpoint within 30 minutes of voicemail receipt | +15 |
| Issue payment hold on un-verified vendor accounts | +10 |
| Penalty: trust the audio detector threshold blindly | Audio detection score capped at 50% |
| Penalty: over-block (e.g., disable Brenda’s entire team) | -25 each over-block |
The pedagogical lesson
This phase teaches the Module 2.2 anti-pattern in vivid form: “we have an audio detector, we’re deepfake-safe” is wrong. The detector scored below alarm threshold; the audio was fake; the durable control was the workflow-gap detection, not the artifact classifier.
Students who score full marks on Phase 2 are the ones who stopped trusting the audio detector and asked “was the workflow followed?” instead.
Instructor pacing for Phase 2
- Voicemail arrives at 2:05 — five minutes into the phase. Students who haven’t been monitoring inbound mail miss it for a while.
- Audio detector returns 0.61 — design the lab environment so this is the actual returned value. Students who don’t notice the detector flagged “below threshold” and run the workflow-gap rule anyway will succeed; those who stop at the detector miss the rest.
- The PDF prompt-injection is the bridge to Phase 3 — it points to NoraBot as a downstream target. Strong students will start preparing for Phase 3 immediately.
- Containment timing: if Brenda’s endpoint isn’t contained within 30 minutes of voicemail receipt, simulate a follow-up inject at 2:45: “Brenda’s machine just made an outbound HTTPS connection to a known-bad host — initial access has been achieved.”
Why this matters in the integration story
Phase 2 is the integration test for Day 2 — the entire day compressed into a 75-minute exercise. Students who internalized Day 2’s anti-pattern (Module 2.6) catch this phase quickly. Students who didn’t, lose 50%+ of Phase 2 points.
What’s next
Module 5.3 covers Phases 3 and 4 — the indirect prompt injection against NoraBot, and the Mirror Twist where the defender’s AI agent confidently misattributes the exfiltration.