Resource Center

This document provides guidance on generic, pragmatic and generic technical criteria and some relevant references for Antivirus, EDR and XDR  security solutions. Given the current context, a “defence in depth” strategy is important and organisations should prepare adequately. This includes many aspects like suitable policies and procedures, end-user training (awareness), vulnerability management processes, good configuration management, (local) firewalls, Web application protections, Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), proper network segmentation, mobile device management…and all of those should be tailored to your organisation and take the architectural design into account such as cloud usage, “Bring your own device” strategy, etc. Deploying and managing Antivirus, EDR (endpoint detect and respond) and even XDR (extended end-point detection and response) are part of the solution required to achieve this goal. This document provides guidance on generic, pragmatic and generic technical criteria and some relevant references for Antivirus, EDR and XDR  security solutions. Download Guidelines (.PDF)

The question is not "if" you will ever fall victim to a cyber attack, but "when". So you need to be prepared. Here are the recommendations for effective communication in the event of a cyber attack. Before the incident Step 1: Risk Analysis Identify and describe what cyber attacks your business or organization could be a victim of and what that would mean for service or production continuity. The most common attacks are: A ransomware attack Ransomware is a virus that is installed on a device without the owner's consent. The ransom virus takes the device and files hostage (in an encrypted manner) and demands a ransom. A DDoS attack With a DDoS (Distributed Denial-Of-Service) attack, criminals try to take down a web server by overloading it with a very large number of page requests. A DDoS attack in itself is not a danger and will pass, but often such an attack is used to hide another attack or as an additional means of pressure, e.g. in a ransomware attack. A virus on the network Scams, e.g. through CEO fraud A data breach, violation of GDPR legislation, etc. Image Step 2: Document and organize Review your company or organization's crisis plan or cyber security incident management plan. Check if crisis communication is included in this, and in what way. Ensure that it contains, as a minimum, the following elements:     A contact list for support (on paper): who we can call on during an incident     A contact list of employees, stakeholders, partners and press (on paper): who we should inform about the incident     An overview of the communication channels that can be used during a cyber attack (so including offline channels).     An overview of key messages: for some common cyber attacks, a short message can be prepared in advance.     A division of labour, listing the different roles in a cyber incident and the tasks associated with each role. Management /crisis team Communications Department / Spokesperson Legal/ Emergency Plan Coordinator/ Safety Officer/ DPO Evaluation of the cyber attack Manage crisis Ensure continuity of the organization Provide feedback to communications department Validate messages for communication Spokesperson agreements are determined for each incident, depending on the scope/threat/sensitivity/theme Collect information Advise crisis team Editing (adapting message to different audiences and channels) Manage communication channels: sending emails/publishing on website/Twitter etc. Receive, inform, refer on or speak to the press Guidance on following the emergency plan  Continuous evaluation of actions in relation to the legal framework and mandates Provide legal advice to the coordination unit Follow-up and coordination of communication of classified information and personal data Contacts with the data protection authority   Step 3: Practice Every company or organization should practice a cyber incident at least once.  Be sure to involve the communications department or communications officer in this exercise. Image During the incident Good communication during an incident is crucial to avoid time being wasted and to limit reputational damage.Respect the following order of communication:EmployeesStakeholdersPartnersCustomersPressOnce you communicate to employees, you should also inform the other parties as soon as possible.  After all, it is an illusion to think that employees will treat information confidentially. In other words, the information will leak quickly to the outside world.If personal data may have been stolen or leaked, the data protection authority should be contacted.Define the messages:Consider communicate proactively.  Even before the incident "leaks out" you can communicate about it. This principle is called "stealing thunder".  You deliver the (bad) news yourself before the press flies in and construct their own story. By communicating proactively, you are most likely to be able to keep control of the communication.Make an immediate hold message. Communicate the following elements:We know: we know what happened.We do: we are now working on the following issues; we are working on a solution.We care: we take this very seriously; we are empathetic.We are sorry: we regret the incident; we apologize.We'll be back: we say when we will release more info.Define the key messagesWhat happened?How did this happen?Who was responsible for this?What are the implications? For employees, customers, partners etc.What are we doing to repair the damage? What solutions do we have?What are we doing to prevent this from happening in the future?Set the tone:Apologize if there are victims or if a mistake was made.Don't get defensive, but do show what your organization did to avoid this or has done to resolve this quickly.You should not be ashamed; you are a victim of criminals and this can happen to anyone.Don't respond aggressively to accusatory questions; rather point out "lessons learned".Avoid making no comment: not responding to questions is a message in itself, which is often interpreted as "they must have made a mistake" or "they certainly have something to hide".Choose a spokesperson. Advice for spokespersons:Show empathy.Don't lie.Be transparent.Anticipate and practice difficult questions.Use bridges to keep returning to the core message.Be clear and concise.Avoid technical (cyber) jargon.Potential pitfallsIn the event of a cyber attack, the main channels of communication may be unavailable: intranet, email, website.  Think in advance about alternative channels to reach different audiences.If a legal investigation has begun into the cyber attack, you may need to be very careful with information.  But don't let this be an excuse for not communicating or not communicating transparently.Attribution of a cyber attack: be careful about assigning a possible perpetrator of the attack. In a cyber attack, this is always very difficult to determine. After the incident It shows high maturity when, after the incident, an organization wants to share the lessons learned with others in a publication, a blog, a lecture or a study day.  Image More infoCrisis Communication Guide National Crisis Center: https://crisiscentrum.be/sites/default/files/documents/files/2021-03/leidraad_nl.pdfCOMM Collection 7: Ready for crisis - Guide to crisis communication: https://bosa.belgium.be/sites/default/files/publications/documents/COMM7_NL_WEB_feb_2017.pdfCybersecurity guide to incident management: https://ccb.belgium.be/sites/default/files/cybersecurity-incident-management-guide-EN.pdfDiscover our webinars

It's not possible to prevent any and all cyber attacks, but there are things you can do. Cyber experts and security firms continue to insist that basic security actions can make a big difference, not only for individual internet users but also for companies and organizations: recognize and warn about phishing, use strong passwords and two-factor authentication (2FA), and patch and update systems in a timely manner. Basic security It's not possible to prevent any and all cyber attacks, but there are things you can do. Cyber experts and security firms continue to insist that basic security actions can make a big difference, not only for individual internet users but also for companies and organizations: recognize and warn about phishing, use strong passwords and two-factor authentication (2FA), and patch and update systems in a timely manner. We advise companies and organizations to develop, update and test a (cyber) emergency plan on a regular basis. It is important for every employee to know what to do in the event of a cyber incident. (Webinar on cyber incidents: https://www.youtube.com/watch?v=-cHcTidmT1Y) Keep contact lists up to date and also store them on paper. Enlist assistance from an external partner/firm if necessary. Make arrangements for this in advance. Use two-factor authentication (2FA) whenever possible, both on individual accounts, and on the company's or organizations' social media accounts.  Make sure your systems are up to date and always make sure to keep relevant and necessary backups offline. For a full overview of security measures, consult the Cyberfundamentals Framework https://ccb.belgium.be/en/cyberfundamentals-framework Checklist to quickly bolster your security Preventing ransomware or wiperware Make sure to implement 2FA or MFA for key business access points. It is important that your devices are protected with antivirus software, but in addition, specific protection against ransomware is also a must. Install anti-ransomware. It's also still important to identify false messages in time and to inform employees Regularly perform updates on all your systems. Finally, regularly make backups in case you do become a victim. Provide a business continuity and recovery plan with a tested backup system Have your IT security architecture & policy reviewed by a specialist (including policies around patching, user training, network segmentation, etc.) Read our full advice https://www.cert.be/sites/default/files/ransomware_2019_nl.pdf Mitigate DDoS attacks Be prepared for a DDoS attack. Check that your Internet-facing systems are adequately protected against a DDoS attack. Watch out for other attacks that "hide" behind the DDOS attack. There are services and products that help mitigate a DDoS attack. Assess whether the use of such services is relevant to your organization. Read our full paper here: https://www.cert.be/nl/paper/ddos-bescherming-en-preventie Identify phishing in a timely manner Watch out for possible phishing attacks. Make employees aware that unusual communications from professional contacts are also suspicious. Ask employees to report suspicious emails to the IT department. Always forward suspicious messages to suspicious@safeonweb.be Detect disinformation campaigns quickly The spread of disinformation through hacked channels is a threat. Watch out for possible misuse of your organization's public communication channels (websites and social media) Monitor activity on your organization's social media accounts. Look out for suspicious and anomalous login attempts. Use two-factor verification. Remind employees to be careful when sharing information on social media. Detect anomalous activities in your professional networks Invest in logging and monitoring. Watch out for anomalous traffic on the systems and in the network. Ensure that anti-virus solutions are up-to-date. Link to webinar: logging and monitoring https://www.youtube.com/watch?v=SQEyC_wJEF0&feature=youtu.be Find and update vulnerable systems Follow our advice and warnings on cert.be Check key systems and internet-facing systems for known vulnerabilities. Also pay extra attention to commonly used vulnerabilities, e.g.. Log4j. https://www.cert.be/en/warning-active-exploitation-0-day-rce-log4j In some cases, no update to address a vulnerability is available. In such cases, take mitigating measures, such as limiting access to a vulnerable system. What to do after a cyber attack? First port of call in the event of a cyber attack https://www.cert.be/en/first-port-call-event-cyberattack Watch the webinar https://www.youtube.com/watch?v=qcIk1bwXPuk If you are a victim of a cyber attack or have noticed a very unusual action on your networks, please file a report via https://www.cert.be/en/report-incident-0 Boosting your Organisation's Cyber Resilience - Joint Publication, ENISA and CE…