Service Definition Document
Below, you will find the document giving the official description of our CERT services according to the recommendations of The Internet Engineering Task Force and Trusted Introducer, which is supported by the European CERT community.
Date of Last Update: Version 1.00: January 2019
Distribution List for Notifications
Notifications of updates are published on the official CERT.be website https://www.cert.be/.
Locations where this Document May Be Found
The current version of this document is available on the CERT.be website https://www.cert.be/
Name of the Team
CERT.be: Federal Cyber Emergency Response Team
Central European Time (GMT+0100 in winter time, GMT+0200 during summer time).
+32 2 501 05 60
Purpose: This key will sign any communication from CERT.be. It is also to be used for any confidential communication with CERT.be: communicating vulnerabilities, incidents, …
Name: CERT.be 2018 <[email protected]>
Key ID: RSA4096/1668FD92
Fingerprint: A7B9 E8AA F0AA AF13 C13D 3524 3FBC 9FC1 1668 FD92
Expires: 31 January 2020
Points of Contact
The preferred method is by email. If not email, telephone during office hours (08:00 to 18:00), from Monday to Friday, except Belgian public holidays.
Article 17 of the royal decree of 10 October 2014 about the creation of the Cybersecurity Centre Belgium (CCB) takes over the management of the Computer Emergency Response Team (CERT) service, created in the former Federal Public Service Information and Communication Technologies (FEDICT).
This article indicates that this service’s missions are: “[…] to detect, observe and analyse online security problems and so continuously inform users in that regard”.
By the application of this disposition, the old FEDICT CERT service is integrated inside the CCB, and therefore the CCB takes over all the above-mentioned missions.
As an administrative service of the CCB, CERT takes part to all other legal missions of the CCB.
Cybersecurity refers to all measures that ensure the confidentiality, the availability and the integrity of Information and Communication Technologies (ICT): technical measures, but also user awareness measures.
Cybersecurity is not about the use of ICT only as a means of activism, terrorism, espionage, subversion, or generally criminal. These deeds are the responsibility of other services than CERT.be (police, State security, etc.). Moreover, the identification of the authors of crimes is not within CERT.be’s purview. However, any attempt against the confidentiality, the integrity and the availability of ICT systems, for whatever reason, is a cybersecurity problem.
1 Arrêté royal du 10 octobre 2014 portant création du Centre pour la Cybersécurité Belgique,» M.B.,21 novembre 2014, p. 91395.
CERT.be’s constituency is divided into the following categories:
- Operators of essential eervices and critical infrastructure
- Operators of essential public services
- Administrative authorities
- Private moral persons
- Greater Public
CERT.be is an administrative service of the Centre for Cybersecurity Belgium (CCB), under the authority of the Prime Minister.
CERT.be only has the authority that would be vested by the NIS Directive’s Belgian transposition.
2. Directive (UE) 2016/1148 du Parlement européen et du Conseil du 6 juillet 2016 concernant des mesures destinées à assurer un niveau élevé commun de sécurité des réseaux et des systèmes d'information dans l'Union,» Journal Officiel de l'Union Européenne,19 juillet 2016.
Types of Incidents and Level of Support
CERT.be handles any incident linked to an information or network system located on the Belgian territory or any internet domain in “.be”. The level of support depends on the gravity of the incident and the quality of the correspondent.
Priority within the constituency is as follows:
- Operators of essential services and critical infrasturctures;
Operators of essential public services;
- Administrative authorities;
- Private moral persons ;
Co-operation, Interaction and Disclosure of Information
CERT.be treats the information it is handed according to the current Belgian legislation. CERT.be is therefore careful to protect personal data and sensitive information it receives.
As specified in the Cyber Emergency Plan, CERT.be coordinates the activities of the different stakeholders in the case of a national cybersecurity incident. In the case of a national cyber security crisis, CERT.be works together with the Crisis Centre in order to coordinate the activities of the different stakeholders.
When it is necessary to communicate personal data in order to handle an incident, CERT.be will be careful to only send the required minimum of information.
Information sent by email and encrypted with CERT.be’s PGP key will only be stored encrypted and will only be deciphered when required. If a transfer of this information is necessary, that transfer will also be PGP encrypted.
CERT.be uses and respects the Traffic Light Protocol as described by FIRST (version 1.0).
As much as possible, CERT.be will share its experience with its peers and its constituency, provided this doesn’t contravene the above provisions. Special attention will be given to the following groups: EGC, TF-CSIRT, FIRST et le EU CSIRTs Network.
Only specifically CCB-designated persons will have contact with the press.
Forum of Incident Response and Security Teams (FIRST), «Traffic Light Protocol (TLP) - FIRST Standards Definitions and Usage Guidance — Version 1.0,» 16 08 2016, www.first.org/tlp/
European Governmental CERTs
Task Force – Cooperation of Computer Security Incident Response Teams
Forum of Incident Response Teams
Communication and Authentication
CERT.be can be joined by email at [email protected]. A PGP key is associated with this address:
pub rsa4096 2019-01-03 [SC] [expires: 2020-01-31]
A7B9 E8AA F0AA AF13 C13D 3524 3FBC 9FC1 1668 FD92
uid [ultimate] CERT.be 2019 <[email protected]>
sub rsa4096 2019-01-03 [E] [expires: 2020-01-31]
CERT.be has personnel cleared to handle classified information in the sense of the Law of 11 December 1998 pertaining to information classification, security clearances and security advice
Loi du 11 décembre 1998 relative à la classification et aux habilitations, attestations et avis de sécurité,» M.B.,7 mai 1999, p. 15752.
Some of the services below are available for only part of CERT.be's constituency. The full table is available in our charter.
Reactive services aim at answering calls for assistance, notifications, and generally at any and all threat or attack against the CERT’s constituency’s systems.
- Alerts and Warnings
This service consists of the publication of information describing an attack, an alert, a threat, etc. and in the providing of short-term actions recommendations that allow facing the problem.
- Incident Handling
- Incident Analysis
At the request of a member of its constituency, CERT.be will make a post mortemanalysis of a cybersecurity incident. The goal of this analysis will be to identify the extent of the incident and the damage done, its root cause, and possibly recommendations.
- On-site incident handling
At the request of certain members of its constituency, CERT.be will dispatch specialists in order to assist local teams in handling a specific incident.
- Incident Response Coordination
CERT.be coordinates, in relationship with the concerned partners, the handling of incidents. In the case of a serious incident, the Cyber Emergency Plan can be activated.
- Incident Response Support
CERT.be provides its constituency with its support in handling security incidents. This support takes the form of advice by email or phone, help in data analysis, etc.
- Vulnerability Handling - response coordination
When a vulnerability is found in some software product, CERT.be can, on request, coordinate mitigation and communication efforts between the different parties involved (researcher, software vendor, users, etc.). It may be that CERT
- Artefact Analysis
An artefact is a trace of an intrusion or attempt at the intrusion on an ICT system. Log files and systems information are examples of artefacts.
CERT.be may analyse artefacts submitted by some categories of its constituency. CERT.be may have to work with external third parties in order to provide this service.
Proactive services aim at improving the constituency’s security infrastructure and processes before an incident occur or is detected.
CERT.be provides announcements via its web site and if necessary private channels in order to warn its constituency of risks caused by newly-found vulnerabilities or the existence of new threat vectors.
- Technology Watch
CERT.be performs a continuous technology watch in the field of cyber security and information security in the broadest sense. This watch feeds CERT.be’s other services and allows it to keep on top of the latest evolutions in the field.
- Detection, observation and analysis of security problems
CERT.be’s mission is to detect, observe and analyse online security problems. It is thus, therefore, the central contact point for the notification of security incidents and information about cyber three.
Arrêté royal du 10 octobre 2014 portant création du Centre pour la Cybersécurité Belgique,» M.B.,21 novembre 2014, p. 91395.
- Security audits / Penetration tests
On request, CERT.be may, depending on resources availability, perform an audit or a penetration test of the infrastructure (or part thereof) of its constituency. CERT.be may have to work with external third parties in order to provide this service.
- Security-Related Information Dissemination
CERT.be publishes when necessary guidance documents or links to such documents, that may be of interest for its constituency.
Security Quality Management Services
These services aim at using the findings and lessons learned from the practice of the various reactive services.
- Awareness raising
CERT.be takes part in the CCB’s awareness raising campaigns.
- Education / Training
CERT.be has the possibility to develop training about its areas of expertise and to organise training sessions.
CERT.be takes part in the CCB’s awareness raising campaigns.
Incident Reporting Forms
As far as possible, please use the following Incident Reporting Form.
CERT.be Incident Reporting Form
The following form has been developed to ease gathering incident information. If you believe you have been involved in an incident, please complete - as much as possible - the following form, and send it to [email protected].
This information will be treated confidentially, as per our Information Disclosure Policy.
I am: an individual user / a business / a government service / a (non-profit) organisation / an institution of vital importance
I want to: report an incident / get support regarding an incident
Type of Incident: I don't know / PC/Network has been hacked / PC/Network has been infected by a virus / Received phishing message / CEO Fraud / Scam / DDoS attack / Other
When did the incident take place?:
Has the incident been resolved? Yes / No
Have you reported the incident to the police? Yes / No
While every precaution will be taken in the preparation of information, notifications and alerts, CERT.be assumes no responsibility for errors, omissions, or for damages resulting from the use of the information contained within.