Interpersonal Skills for Malicious Infrastructure/Phishing Response

Use Case

In almost every intervention or support case, practitioners will be working directly with persons affected by an attack or attempted attack. This can often be a stressful and anxiety-inducing experience for targeted persons, and every practitioner should know how to mitigate those pressures.

Objectives

After completing this subtopic, practitioners will be able to support those who might have received or clicked on malicious emails or links in a responsible way, embodying empathy and focusing on harm reduction informed by the targeted person’s own threat model.

Foundation Knowledge

The Security Education Companion contains a multitude of advice on thoughtful, careful, harm-reducing ways to interact as a technology helper. If you are not already familiar with this type of content, we highly advise reviewing the resources in Security Education 101.

After reading through the above resources, you should be able to do the following:

• Understand how risk assessment is important in every interaction;
• Understand the risks of touching people’s devices or gaining access to their accounts;
• Understand that when you share information about the case or attack with colleagues or others in the community, you require the informed consent of the targeted person. This means explaining to them what information you will share, how you handle that information, what the possible risks of sharing that information could be, and requesting their explicit permission to do so;
• Understand the risks of engaging in fear-mongering discourse;
• Understand your own limitations, both in terms of technical ability but also your suitability to support a given person or community and any risks inherent in doing so;
• Avoid injecting preferences for platforms, technology, open-source vs closed-source, etc, into helper interactions.

Path-specific Knowledge

Once you are familiar with the above foundational knowledge, take some time to think about particular interpersonal skills which might be needed for this specific learning path. Every learning path and intervention are slightly different; each one might bring with it different narratives or concerns by learners.

You should be able to:

• Look at how you can talk about phishing and malicious infrastructure in the most empathetic way possible. Everyone can click a bad link or misread a URL; make sure that you do not shame anyone. When publicly discussing case studies, do so carefully and empathetically as not to blame any individual users or identify any people who would prefer to remain anonymous;
• Be ready to discuss the difference between active and passive analysis of infrastructure of risk tolerance;
• Be ready to explain how the same method of analysis can sometimes yield lots of data and sometimes very little, and manage expectations accordingly.

Note that the skills outlined later on in this learning path also contain advice on developing the interpersonal skills in order to deliver thoughtful, harm-reducing support.

Understand: Harm Reduction & Operational Security

By the time a phishing email has been shared with you, it is possible that the intended target has already been harmed: they might have clicked it and entered some data, or they may be impacted by the psychosocial impact of feeling targeted or watched. It’s important to support the intended target while, at the same time, avoiding causing harm to yourself during active interaction with malicious content.

Harm reduction for the targeted person should start with collecting some information on the actions they took and the circumstances in which they received and interacted with the email. You might ask different sets of questions for people you know well, such as colleagues, and beneficiaries whom you know less about. Some questions worth asking include: What is their threat model? Are they an anonymous blogger? A dissident in exile attempting to hide their location? Were they using a VPN? Is their browser and operating system up to date? What email system did they receive and open the email in? Did they interact with links, forms, or attachments? Did they reply to the email or forward it to anyone else? Did others in their organization or community receive a same or similar email?

The answers to these questions will both help provide useful harm reduction support and aid in your investigations. As you progress in analysis and understanding of the malicious content, update the targeted person especially insofar as is relevant to harm reduction.

For operational security to protect yourself while working with malicious emails, check out the next subtopic.

Practice

Reflect on and answer/discuss the following with peers, colleagues, friends, or a mentor. If available and if appropriate, talk to a ‘client’ you have worked with before to ask their input and experiences on some of these questions.

• Describe how touching and gaining access to someone’s device might present unforeseen risks.
• Imagine you are assisting someone with sensitive data on their device. How would you approach a discussion with this person regarding your access and data handling.
• How does understanding a person’s specific threat model impact your harm-reduction efforts, for instance if they are an anonymous blogger or dissident in exile?
• How do you navigate providing factual technical evidence according to your ability, while balancing the need not to provide false confidence while also not fostering paranoia?
• Describe your own abilities and limitations in conducting infrastructure analysis work. After making a first attempt at this description, attempt to add further nuance and accuracy to your description.
• What might be the risks if you proceed without this recognition of your limitations?

Skill Check

Do a role-playing exercise with a peer or mentor, in which you play the part of the digital protector, and they play the part of somebody who received a phishing email which is still in their mailbox. They received the email several hours ago, do not remember whether they clicked on it, and only started to think that it’s suspicious and that they should alert others now. They are very stressed, worried that they might have put their colleagues and organization at risk. Some of the topics the conversation could touch upon include:

• Explain what a phishing message is and what the attackers’ aims could be.
• Talk the targeted person through what risk they might be at if they clicked the phishing email.
• Talk about who the potential adversaries could be, and how many attacks are not targeted at all.
• Discuss what next steps the targeted person and organization could take to keep safe.

Learning Resources