OWASP：深度偽造事件響應(yīng)指南（英文）

LLM&GenAlThreatIntelligenceInitiative

|GuideforPreparingandRespondingtoDeepfakeEvents

RevisionHistory

Revision

Date

Authors

Description

.01

June28,2024

RachelJames

BryanNakayama

FirstDraft

.03

July9th,2024

RachelJames

BryanNakayamaSarahThorton

RameshKumarVaibhavMalik

FeedbackandSecondDraft

.05

August6th,2024

RachelJames

BryanNakayamaSarahThorton

RameshKumar

VaibhavMalik

ManuelVillanueva

FourthDraft

1

September10,2024

RachelJames

BryanNakayama

Published

Theinformationprovidedinthisdocumentdoesnot,andisnotintendedto,constitutelegaladvice.Allinformationisforgeneralinformationalpurposesonly.Thisdocumentcontainslinkstoother

third-partywebsites.SuchlinksareonlyforconvenienceandOWASPdoesnotrecommendorendorsethecontentsofthethird-partysites.

Version:1Page2of35

|GuideforPreparingandRespondingtoDeepfakeEvents

LicenseandUsage

ThisdocumentislicensedunderCreativeCommons,CCBY-SA4.0Youarefreeto:

●Share—copyandredistributethematerialinanymediumorformat

●Adapt—remix,transform,andbuilduponthematerialforanypurpose,evencommercially.

Underthefollowingterms:

●Attribution—Youmustgiveappropriatecredit,providealinktothelicense,andindicateifchangesweremade.Youmaydosoinanyreasonablemanner,butnotinanywaythatsuggeststhelicensorendorsesyouoryouruse.

○AttributionGuidelines-mustincludetheprojectnameaswellasthenameoftheassetreferenced

■OWASPTop10forLLM-GuideforPreparingandRespondingtoDeepfakeEvents

●ShareAlike—Ifyouremix,transform,orbuilduponthematerial,youmustdistributeyourcontributionsunderthesamelicenseastheoriginal.

Linktofulllicensetext:/licenses/by-sa/4.0/legalcode

Version:1Page3of35

|GuideforPreparingandRespondingtoDeepfakeEvents

Contents

NotefromOWASPCTILayerLeadAuthors 5

Overview 6

Scope 7

Preparation 8

Riskassessment 8

ThreatActors 8

ThreatActivity 9

AssessmentofDefenses 9

Human-BasedAuthenticationBestPractices 10

FinancialTransactions 10

Helpdesk 11

Hiring 11

SensitiveDataDisclosure 11

BrandMonitoring 12

EventResponse 12

DeepFakeIncidentResponsePlan 12

AwarenessTraining 14

EventSpecificGuidance 16

Financialgainthroughfraudbyimpersonation 16

DetectionandAnalysis: 16

CommonTTPs: 16

Containment,EradicationandRecovery: 18

Post-IncidentActivity: 19

Impersonationforcyberattacks 20

DetectionandAnalysis: 20

CommonTTPs: 20

Containment,EradicationandRecovery: 22

Post-IncidentActivity: 23

JobInterviewFraud 24

DetectionandAnalysis: 24

CommonTTPs: 26

Containment,EradicationandRecovery: 27

Post-IncidentActivity: 27

Mis/Dis/MalInformation 28

DetectionandAnalysis 28

CommonTTPs: 29

Version:1Page4of35

|GuideforPreparingandRespondingtoDeepfakeEvents

Containment,EradicationandRecovery: 30

Post-IncidentActivity: 31

Conclusion 32

References 33

Version:1Page5of35

|GuideforPreparingandRespondingtoDeepfakeEvents

NotefromOWASPCTILayerLeadAuthors

Earlyin2024,theOWASPTop10forLLM&GenAIcommunityexpresseda

greatdealofinterestincoveringtheadversarialuseofarti?cial

intelligence.Onre?ection,thecoreteamdeterminedthatsince

vulnerabilitieswithinAIsystemswastheprimaryfocusoftheTop10,guidanceonadversarialusefelloutsidethescopeofthatpublication.TheOWASPcommunitycametogetherandvolunteeredtocreatea

separateresourcegroup,onethatwouldfocusoncreatingactionableguidance,checklistsandresearchintoadversarial

useforcybersecurityprofessionals.Thatgroup

becameknownastheCTILayerteam,ledbyRachelJamesandBryanNakayama.

ThisGuideforPreparingandRespondingtoDeepfakeEventsisthe?rstofseveralplannedpublicationsoftheCTILayer.Thispublicationwasdevelopedby

cybersecurityprofessionalsforcybersecurityprofessionals.Weintendedto

providepracticalguidanceforatechnicalandleadershipaudiencewhomust

createplaybooks,responseplansandquicklyrespondtoadeepfakeevent.Itisthehopeoftheauthorsandcontributorsofthisdocumentthatwecanimprovethecultivationofbestpracticesandprovideacomprehensiveoverviewofwhatisinvolvedinpreparing,detecting,andrespondingtosuchevents.

RachelJames,CISSP,CISA,OSCP,GMLE

CyberShujinLLC

racheljames@

BryanNakayama,Ph.D.

CTIProfessional

bryan.nakayama@

Version:1Page6of35

|GuideforPreparingandRespondingtoDeepfakeEvents

Overview

Deepfakes—hyper-realisticdigitalforgeries—havegainedsigni?cantattentionastherapid

developmentofgenerativeAIhasmadeiteasiertoproduceconvincinglyrealisticvideosandaudiorecordingsthatcandeceiveeventhemostdiscerningviewers.Theyposeapotentiallydaunting

challengeforcybersecurityprofessionalssincefraudstersandcybercriminalscanleverage

deepfakestocarryoutsophisticatedimpersonationandsocialengineeringattacks.Duetothe

widespreaduseofsocialmedia,everyonefromhigh-pro?leindividualslikeCEOstoaverage

citizensareattheriskofimpersonationsinceitcantakeaslittleas10secondsofaudioorvideotoproduceaconvincingdeepfake.Deepfake-generatedcontenthasalreadybeenusedinphishing

andfraudschemes,whereattackerscreatedvideosofCEOsandothertrusted?guresto

manipulateemployeesintodivulgingsensitiveinformationand/ortransferringfunds(Chen&Magramo,2024).

Whiledeepfakesareapowerfultoolforsocialengineering,cybersecurityprofessionalsdo

notneedtoturntonewdetectiontechnologiesorintensive“howtospotadeepfake”training

programsinordertomitigatetheriskthattheypose.Recentstudiessuggestthatdeepfake

detectiontechnologiesarestillimmatureandtherapidadvanceofthetechnologywillmake

trainingprogrammesfocusedonlookingforspeci?cvisualoraudioartifactsrapidlyout-of-date

(GAO,2024).Moreover,researchershavediscoveredthatevenwithtrainingpeoplebothcannot

reliablydetectdeepfakesandtendtooverestimatetheirownabilitytoidentifydeepfakes(K?bisetal.,2021).Likemanyothersocialengineeringattacks,deepfake-enhancedattacksfrequently

dependonthevictimbypassingestablishedproceduresandcontrolsatthebehestoftheattacker.Therefore,thisguideemphasizespracticalandpragmaticdefense-in-depthstrategiesaswellaslayeredcontrolsasakeyapproachthatcybersecurityprofessionalsshouldtaketodeepfakes.

Thehopeistoprovideaguidethatisresilienttoevolvingdeepfake-enhancedthreatsby

Focusingonprocessadherenceratherthanvisualorauditorydetectionoffakes.

applyingfundamentalsecurityprinciples.Keystrategiesthattheguideendorsesinclude:

●Implementingandmaintainingstrong?nancialcontrolsandveri?cationprocedures.

●Cultivatingacultureofawarenessandskepticismtowardsunusualrequests.

●Developingandregularlyupdatingincidentresponseplans.

The?rstsectionintheguideistheScopewhichoutlineskeyde?nitionsandtheintended

audience.Theguidedistinguishesbetweenfourdifferentscenariosbasedonattackerintentions—?nancialfraud,jobinterviewfraud,socialengineering,mis/dis/malinformation—andprovides

guidanceacrossthefourstagesofincidentresponsefromNISTSpecialPublication800-61Revision3:

1.Preparation,

2.DetectionandAnalysis,

3.Containment,EradicationandRecovery

4.Post-incidentactivity

Version:1Page7of35

|GuideforPreparingandRespondingtoDeepfakeEvents

Scope

Syntheticmediaintendedtoreproducesomeone’slikenessisgenerallydividedintotwo

Cheapfakes-Multimediathathasbeenmanipulatedusingtechniquesthatdonot

involvemachine/deeplearning,whichinmanycasescanstillbeaseffectiveasthemoretechnicallysophisticatedtechniques,areoftenreferredtoasshalloworcheapfakes.

●Deepfakes-Multimediathathaveeitherbeencreated(fullysynthetic)oredited

(partiallysynthetic)usingsomeformofmachine/deeplearning(arti?cialintelligence)arereferredtoasdeepfakes.

Wewillfocusthisguidanceonthreecategoriesofmaliciousdeepfakesbasedontheattacker’sobjective:

categories(DOD,2023):

1.Financialgainthroughfraudbyimpersonation

2.Jobinterviewfraud

3.Impersonationtofurthercyberattacks(suchasinitialaccess)

4.Mis/Dis/Malinformation

Mostorganizationsoutsidegovernmentandjournalisticentitieswillpotentiallybetargeted

foroneofthesethreeobjectives.Basedonpublicandprivateintelligencesources,webelievetherehasbeenaminorbutmeasurableincreaseinactivityfromthesethreecategoriesimpacting

organizationssincemid-2023.

Weseparatemaliciousdeepfakeactivityintothreecategoriesbecausethepreparationand

responseforeacharedifferent.Forexample,ifathreatactorattemptstouseadeepfakeforfraudortrickahelpdeskemployeeintogivingthemaccess,youareunlikelytobefortunateenoughto

haveanycapturedvideooraudiotoanalyze,norwillthecontentbehostedonaplatform.Inthe

caseofmis/dis/malinformation,therewilllikelybesomemediatoanalyzeandatake-downprocesstobeconducted.

Whilethisguideprovidespreparationguidancethatisencompassingofallthreecategoriesofdeepfakeevents,thesubsequentDetectionandAnalysis;Containment,Eradicationand

Recovery,andPost-IncidentActivityguidanceareevent-speci?c.

Version:1Page8of35

|GuideforPreparingandRespondingtoDeepfakeEvents

Preparation

Preparationfocusesonunderstandingthecurrentriskthroughanalysisofthreatactivityandcurrentdefensiveposture,establishingadeepfakeincidentresponseplan,and?nally,establishingadeepfakereportingprocessandemployeeeducation.

Riskassessment

Atthetimeofwriting(July2024),deepfakesarenottheleadingcauseoffraud,cyberthreatactivityorreputationaldamageformostorganizationsoutsideofjournalisticandgovernment

entities.Thatsaid,publicandprivatecyberthreatintelligencesourcesindicatethattheuseof

deepfakesandcheapfakesby?nanciallymotivatedthreatactorshasseenaminorincrease.Asthetechnologyprogresses,itwillbecomeeasierandcheapertocreateadeepfakethatisgoodenoughforbroadattacks(Ciancaglini&Sancho,2024).

Aspartofpreparationfordeepfakeevents,organizationsshouldevaluatetheirownindividualriskofbecomingatargetofdeepfakesbasedontheirbusiness,mediaandpoliticalexposure,

history,threatactoractivity,andsusceptibilitytofraud.

ThreatActors

AnexcellentadversariallandscapegraphicproducedbyDARPA(Brooksetal.,2022),shownbelow,providesanunderstandingoftheadversarialskilllevelandtheobserveduseofthese

technologies.Thiswillhelporganizationsbetterdeterminewhichcategoryofdeepfaketechnicalcapabilitytheywillmostlikelyencounter.

ThisresearchalsoreflectsfindingsintheworkproducedbyOnfidoincollaborationwithFIDOAlliance,inthe2024IdentityFraudReport.

Version:1Page9of35

|GuideforPreparingandRespondingtoDeepfakeEvents

Theuptickinbiometricfraudanduseofcheapfakesanddeepfakesasameanstobypass

authenticationandcommitfraudhashadaminorobservableuptick.Theauthorsconcludethatthistrendhasseenaslightincreaseandthatwecanexpectthatincreasetocontinue.Therefore,this

windowofopportunityforcybersecurityprofessionalstodevelopawareness,detection,response,andmitigationstrategiesisideal.

ThreatActivity

Current,knownthreatsthatthesetechnologiesposeinclude:

1.Evasionofauthentication-

HowIBrokeIntoaBankAccountWithanAI-Generated

Voice

2.Impersonation-

UnusualCEOFraudviaDeepfakeAudioStealsUS$243,000FromUK

Company

3.FinancialFraud-

Financeworkerpaysout$25millionaftervideocallwithdeepfake

‘chief?nancialo代cer’

4.Reputationaldamage-afakebutrealisticvideoofaCEOmakingunsavory

commentsorincorrectstatementscandamagebrandimageandleadtoloss

Beware

ofdeepfakeofCEOrecommendingstocks,saysIndia'sNationalStockExchange

and

faketwitteraccountscausinglossestocompanyEliLillyandLockheedMartin

RespondingtoMaliciousCorporateDeepfakes–DebevoiseDataBlog

5.Deepfakeemploymentinterviews-

CriminalsUseDeepfakeVideostoInterviewfor

RemoteWork

6.Misinformationleadingto?nancialimplications-Suchasimpactingstockprices:

S&PSheds$500BillionfromFakePentagonExplosion

AssessmentofDefenses

Yourassessmentshouldincludeareviewofpolicies,procedures,enforcementandauditingmethodsforfourmainareas:sensitivedatadisclosure,helpdesk,?nancialtransactionsandeventresponse.

Werecommendstartingwithareviewofthegovernanceandapprovalstructurestooverseesecuritymeasuresandpoliciesrelatedtosensitivedatadisclosure,mergersandacquisitions,legal,?nancialtransactions,andemployeeidenti?cationforpurposesofauthorizationoridenti?cation

(suchaswiththehelpdesk,HR,andphysicalsecurity).Akeypartofthisreviewshouldinclude

interviewingemployeesenactingtheseprocessesinordertounderstandwhetherandtowhat

extenttherearedeviationsfrompolicy.Startingwiththisreviewwillallowyoutobeabletonavigate

Version:1Page10of35

|GuideforPreparingandRespondingtoDeepfakeEvents

successfullythroughthegovernanceandapprovalstructurestosuggestchangesandposturehardeningprocesses.

Human-BasedAuthenticationBestPractices

Ideally,atleasttwoofthefollowingbestpracticeswherehuman-basedauthenticationispermittedshouldbeinuse.Thesebestpracticesinclude:

●Maintainanemployeedirectoryofapprovedcommunicationmethodsthatcanactasadditionalveri?cationtoauthenticateausersuchascorporateinstantmessenger,additionalphonenumber,alternativeemailsoraliasesthatcanbeusedtocon?rmavoicerequest.

●AlternativeCommunicationVeri?cation:callingthepersonbackonapre-registeredphonenumbertocon?rmtheidentityandrequest.

●CodeoftheDay-inthispractice,oftenimplementedin?nancialinstitutions,

requiresthecallerorrequestertorefertoasecuresystemwhichgeneratesa

randomuniquecodethatrotatesonafrequentbasis.Despiteitsname,theCodeoftheDaytypicallyrotatesseveraltimesadayandisusedinconjunctionwithother

formsofverbalidenti?cation.Someorganizationsuseasecureapplicationthat

requiresMFAtoaccessthecurrentcode,whileothersdistributethecodethroughSMS.Usersmusthavetheabilitytorequestarotationofthecodeortoreporta

suspectedcompromiseofthecode,toallowforrotation-on-demandinadditiontofrequentautomaticrotations.Insituationswhereanemployeeisunableto

authenticatetotheapplicationordevicetogetthecode,itispermissiblefora

managerorcoworkertosharethecodeonlyinpersonandaftercon?rmingavalidemployeebadge(byswipingintoasecurearea).

●CustomSecurityQuestions:establishedwhenonboarding,orcreatedfor

third-partiesandkeptinencryptedstorage.Theseshouldnotbeanydatathatisabletobederivedfromacreditreport,socialmediaaccount,orthattheemployeeuses

routinely(dateofbirth,employeeID,employeeloginname,shouldnotbeused).

Disallowcommonquestionssuchas“Mother’sMaidenname”or“Pet’s?rstname.”

●Requirethecaller’smanagerorsupervisortoverifytherequestbysendinganemail,orconductinganoutboundcalltothemanageronapre-registeredphonenumber.

FinancialTransactions

Ensurethefollowingbestpracticesfor?nancialtransactionsarecontainedinwrittenpolicy

Clearwrittenpoliciesregarding?nancialtransactionsandcontrols.

andproceure,andhavemeansofenforcementandauditingforfailures:

●SoD(SeparationofDuties):Separatecriticalfunctionssothatnosingleindividual

hascontroloverallaspectsofany?nancialtransaction.Forexample,thepersonwhoauthorizesapaymentshoulddifferfromthepersonwhoprocessesit,andboth

shouldhaveindependentnon-overlappingdecision-making/justi?cationchainstodotheirpartsrespectively.

●DualAuthorization:Requiretwoauthorizedindividualstoapprovesigni?canttransactions.Thisensuresthateverypersoncanonlyinitiateandcompleteatransactionwithoversight.

●Considera“codeoftheday”techniquethatmustbestatedforanyauthorizationoftransactionsorsharingofsensitiveinformation.Accessingtheday'scoderequiresbothpartiestoaccessaportaldisplayingthecode.

●MFAonallsystemsforcommunicationand?nancialtransactionprocessing.

●IdentifyprocessesthatpermitauthorizationandauthenticationthroughmeansthatarenotprotectedbyMFA.

●Inventorythemethodofhuman-basedauthentication,andreviewforbestpractices.

●Dual-bandcommunicationveri?cationrequirestwotypesofauthenticationthatcannotcomethroughasinglecommunicationchannel.Forexample,Transactions

Version:1Page11of35

|GuideforPreparingandRespondingtoDeepfakeEvents

shouldnotbeabletoberequested,reviewed,orapprovedsolelythroughemailorphonecalls.

●Regularauditsandperiodicaccessreviewstoensuretheabove.

●Ensurecomplianceproceduresfor?nancialtransactionsprovidesigni?cantlatitudetochallengeseniorleadershiprequests.

●Requiremultipleapprovalsfortransactionsaboveacertainthreshold.

Helpdesk

●Reviewcurrentpolicyandproceduresforpasswordreset,newdeviceenrollmentintoMFA,andreportingforrepeatedfailedverbalauthenticationattempts.

●Interviewemployeesinthosedepartmentstodeterminecurrentwork?ow(whichmaybedifferentthandocumentedpolicyorprocess).

●Testprocess(afterobtainingpermissiontodoso).

●Identifygapsinpolicy,procedureandactualpractice.

●IdentifyprocessesthatpermitauthorizationandauthenticationthroughmeansthatarenotprotectedbyMFA.

●Inventorythemethodofhuman-basedauthentication,reviewforbestpractices.

Hiring

●Ensurethereisanestablishedprocessforreportingsuspicionofcandidateimpersonationorfraud,andthatallrecruitersandhiringmanagersreceiveawarenesstrainingaboutthetrendsandthereportingprocess.

●Reviewidenti?cationveri?cationprocessesfornewemployees.Ensurethereisenhancedveri?cationofIDsforallapplicantstodetectforgedidentities.

Considerusingidenti?cationserviceswhichareFIDOAlliancecerti?edforbestpractices:

o

GetCerti?edforFaceVeri?cation|FIDOAlliance-FIDOAlliance

o

IdentityVeri?cationCerti?cationPrograms|FIDO-FIDOAlliance

o

BattlingDeepfakeswithCerti?edIdentityVeri?cation|FIDOAlliance-FIDO

Alliance

●Includelanguageinjobpostingsstatingthatreasonableinterviewaccommodationswillbeprovideduponrequestbuttheexpectationisnoaudioorvideomanipulationmethodswillbeallowedduringtheinterviewprocess.

●Educatecandidatesthatareinvitedtointerviewthatyouhaveprocessesfor

identifyingcandidateimpersonators.Also,letthemknowthatyouwillprosecutealldiscoveredemploymentfraud.(Sullivan,2020)

●Implementaseriesofinterviewswithdifferentteammembersandwherepossiblevarytheformat(video,phone,in-person)andtimingofinterviews.

●Whenacandidateisselectedforaninterview,ensuretheprocessforschedulingthatinterviewincludesadisclosurethattheinterviewmustbeconductedwiththe

cameraon,nobackgroundblurringorbackdrops,noaudioorvideomanipulationor?ltering,noheadphones,withtheirscreenshared.Stateagainthatrequestsfor

reasonableaccommodationsforassistivetechnologymaybemadeatthispoint.

●Auditallofyourhiringpracticestoensureyourhiringteamisconsistentlyfollowingbestpracticesonbackgroundchecks,references,resumereview,interviews,andmore.

SensitiveDataDisclosure

●Reviewcurrentpolicyandproceduresforsensitivedatadisclosurewhichmayincludemergersandacquisitions,legal,?nancialtransactions,andemployeeinformation(HR)disclosures.

●Interviewemployeesinthosedepartmentstodeterminethecurrentwork?ow(whichmaybedifferentthandocumentedpolicyorprocess).

Version:1Page12of35

|GuideforPreparingandRespondingtoDeepfakeEvents

●Identifygapsinpolicy,procedureandactualpractice.

●IdentifyprocessesthatpermitauthorizationandauthenticationthroughmeansthatarenotprotectedbyMFA.

●Inventorythemethodofhuman-basedauthentication,andreviewforbestpractices.

●Scheduleareviewoftheseproceduresonatleastanannualbasis,asbestpracticesoftenchangeaccordingtocurrentthreatlandscape.

BrandMonitoring

●Completeaninventoryofallthedepartments,toolsandservicesleveragedbythe

organizationforbrandandreputationmonitoring.Oftenthismonitoringisconductedbymultipleteams(CTI,legalbrandprotection,etc).

●Reviewmonitoringservicesandplatformstodetermineifdeepfakealertingiswithinscope.

●Ensurethosedepartmentsareeducatedandtrainedontheprocedureforreportingdeepfakes.

EventResponse

●Identifycurrentmechanismsforreportingdeepfakes,anycurrentguidanceorawarenessfordeepfakes.

●Reviewforensicretainerstodetermineifdigitalforensicsexpertisefordeepfakeanalysisisincluded,andwhattheservicelevelagreement(SLA)forthatanalysisis.

●Determinewhatserviceormechanismyourorganizationusesfortakedownrequestsforlook-alikedomainsandothercopyrightviolationsanddetermineifthatserviceorprocessisalsoequippedtohandletakedownrequestsfordeepfakecontent(Gesseretal.,2023).

●Revieworestablishadeepfakeincidentresponseplan.

DeepFakeIncidentResponsePlan

Nowthatyouhavedonethecriticalhomeworkinyourriskassessmentphaseandunderstandthreats,threatactivity,andprocessesrelevanttoyourspeci?corganization,youcandevelopa

deepfakeincidentresponseplan.Adeepfakeincidentresponseplaniscriticalasduringanevent,havingclearlyoutlinedrolesandresponsibilities,templatesforcommunication,andan

understandingofhowtorespondiscrucialtoatimelyresponse.Aquickresponsehelpsan

Mitigateorreducereputationaldamage

organization:

●Protectsensitiveinformation

●Preservetrustandcredibility

●Ensure?nancialimpactsarelimited

●Adheretolegalandregulatorycompliancerequirements

●Ensureoperationalcontinuity

●IdentifyopportunitiesformitigationandensurestrategyandprocessesareinplaceAhelpfuldiagramforstartingthisplanningisprovidedinadocumentfromtheDepartmentof

HomelandSecuritycalled“IncreasingThreatofDeepFakeIdentities.”theopportunitiesfor

Version:1Page13of35

|GuideforPreparingandRespondingtoDeepfakeEvents

mitigationidenti?ed:

Establishgovernancestructurestooverseesecuritymeasuresandpoliciesrelated

Thedeepfakeincidentresponseplanningprocessshould,ataminimum(Gesseretal.,2022):todeepfakethreats.

●Documentwhoownsmonitoringfordeepfakes,whatisthealertingprocess,channels,andstakeholders.

●Documentwhoownsthetakedownprocessfordeepfakes,andhowescalationisconducted,suchaslegalactionifatakedownrequestisdenied.

●Createacrisiscommunicationplanforeachtypeofthedeepfakescenariosdescribedbelow.Inallscenarios,quickandeffectivecommunicationiskeytocontainmentinresponse.

○Ensurethattemplatesaredevelopedandapprovedbyallpartieswithwell-de?nedapprovalprocessesforwhentoimplementthem.

○Ensuredistributionplansandtemplatesareupdatedregularly.

●Organizationsshouldconsiderwhetherthedeepfakesarepartofalargercampaignintendedtoharass,exactrevenge,orextortacompanyorindividuals.Incident

responseplansshouldaccountforthefollowingimplications(Gesseretal.,2023):

○Reputationaldamage.

○Extortionpressurefollowingaransomwareordataex?ltrationevent.

○Hacktivism/corporateactivism.

○Financialfraud.

Version:1Page14of35

|GuideforPreparingandRespondingtoDeepfakeEvents

○Sensitiveinformationdisclosure.

○Industrialespionage.

○Computerornetworkbreaches.

○Misleadingstakeho