Empathy in Incident Response

His email message to the SOC was succinct. “I clicked on a suspicious link,” he wrote, “What do I do now?”

My first reaction wasn’t that of anger or contempt. I was relieved, actually. Relieved that he alerted the team. (I don’t think I even want to know how many clicks on suspicious links go unreported.) I was eager to take on this challenge and I quickly located the email in question and I examined it.

Then, I called him. On the phone. To talk to him. In person.

He seemed nervous to take my call. I could tell, even before he said it, that he had a cold. You could hear it in his voice and in his breathing. He apologized profusely for clicking on the link, that he was sick and wasn’t thinking clearly.

Not only did I channel my transferable skills of dealing with customers/end users from my past careers as a librarian and a travel agent, but also the advice and lessons learned shared by InfoSec pros like Lesley Carhart, Ariel Robinson, Jayson Street, and Swift on Security, to name a few.

I first thanked him for his email and letting us know. I told him that he did a good thing by saying something and that together we would work this out. Since I examined the email in my sandbox, I knew what the end result would be based on his clicks. I asked him to walk me through his actions. I never used the phrase, “what did you do,” because that sounds like blame. I would prompt him to his next step by saying, “and what was  your next action?”

To me, the email looked like an obvious phish. I was curious about his side of the story. Without any prompting, he explained that he was on a lot of cold medicine and used poor judgment. I could hear the stress come back into his voice as he said this, and he apologized profusely.

I walked him through some troubleshooting steps on his computer and based on his answers, coupled with my own findings, and told him that it seemed like he dodged a bullet. I described to him the steps to engage a virus scan, just as a precaution.

I ended the call basically the way it began. I thanked him for alerting us. He sounded less stressed and thanked me. I genuinely told him that it was my pleasure to help. I told him that I hoped he got well soon. I told him to be careful online and to have a cyber safe day.

This entire incident response took less than 10 minutes total. I realize that one can’t take 10 minutes for every end user who clicked on a suspicious link. But, for when you can spare some time, show empathy. The language I used and the steps I took were towards the greater goal of creating a culture of security.

When I first started at this SOC job four months ago, I used to surprise people by merely letting them know that real humans worked on the security team. I think they assumed a bunch of blinky boxes were involved. But, I am human and I do have empathy for the end user in a time of incident response.