Key Takeaways
- SI‑CERT, Slovenia’s national cyber‑response centre, handles roughly 6,000 cyber‑incident reports per year – a twenty‑fold increase from a decade‑and‑a‑half ago.
- The centre uses three dedicated triage lines (routine fraud, serious technical incidents, and phishing) and classifies every case with an adapted ENISA reference taxonomy.
- Originally a three‑person outfit inside the public research network ARNES, SI‑CERT now employs about 13 analysts and aims to grow to 15, all permanent, paid staff.
- Building trust with the private sector required demonstrable value (e.g., phishing‑site takedowns during a 2012 Cyber Europe exercise); today the NIS/NIS2 directives reinforce reporting obligations, but SI‑CERT stresses assistance over compliance.
- Cooperation with Slovenian police is well‑established: police handle mobile forensics while SI‑CERT contributes deep network analysis, IPv6 tracing, passive DNS, and malware expertise.
- Effective incident resolution hinges on having a capable internal response team; otherwise, SI‑CERT’s involvement can add coordination chaos, especially when victims delay reporting or prioritize quick system recovery over evidence preservation.
- Annual budget justification remains a challenge; upcoming regulations (DORA, CRA) will add vulnerability‑handling duties that demand specialised staff and multi‑year training plans.
- Božič is sceptical of “AI‑as‑a‑finished‑product” security‑operations‑centre offers, arguing that analysts must still interpret alerts and that current AI hype mirrors the earlier blockchain wave.
Historical Roots and Growth
SI‑CERT traces its origin to a 1994 proposal by Gorazd Božič to the leadership of ARNES, Slovenia’s academic and research network. Initially embedded as a department within ARNES, the centre mirrored Croatia’s CARNET model. Starting with only three generalists, the team gradually added specialists in malware analysis, digital forensics, and threat intelligence as the workload expanded. Today SI‑CERT employs roughly thirteen analysts, with a target of fifteen for the current year, all holding permanent, paid positions within the public agency.
Incident Volume and Classification
The centre now records about 6,000 incidents annually, a stark rise from roughly 300 reports a decade‑and‑a‑half earlier. Each report follows a structured workflow: analysts first assign an incident type using an adapted ENISA reference taxonomy (adding sub‑categories as needed), note the victim’s sector, and attach free‑form tags that populate SI‑CERT’s statistical database. This taxonomy enables consistent categorisation of events ranging from denial‑of‑service attacks and compromised unprivileged accounts to ransomware infections.
Triage Process – Three Parallel Lines
To manage the growing caseload, SI‑CERT split its original single workflow into three dedicated triage lines. The routine fraud line handles the bulk of online‑scam complaints where individuals have lost money or encountered a fraud attempt; analysts provide guidance on contacting police, filing bank complaints, or other remedial steps. The serious‑incident line is reserved for cases requiring senior analyst input—technical deep‑dives, log analysis, tool selection, and coordination with the reporter and external parties. Finally, the phishing line processes phishing reports exclusively, allowing faster handling of this high‑volume threat category. The segregation streamlines processing and ensures that each issue receives the appropriate level of expertise.
Earning Private‑Sector Confidence
In the 1990s and 2000s, government attention to CERTs was minimal, forcing SI‑CERT to prove its worth to private firms on its own. A pivotal moment arrived around 2012 during a Cyber Europe exercise centred on bank attacks. The ministry invited several banks, which discovered that SI‑CERT could undertake tasks such as phishing‑site takedowns—activities the banks lacked internal capacity or know‑how to perform. This success won over the banking sector, and subsequently the energy and telecommunications industries followed suit, based on their maturity levels. While the NIS and NIS2 directives now mandate incident reporting for essential and important entities, Božič emphasizes that the centre’s primary role is to help rather than to enforce compliance.
Collaboration with Law Enforcement
SI‑CERT’s partnership with Slovenian police began in 1998 and has matured into smooth cooperation after early friction over jurisdiction. The police possess a strong digital‑forensics unit, especially adept at mobile‑device examinations, and they regularly call on SI‑CERT for deep network expertise—such as IPv6 traffic tracing, passive‑DNS analysis, and malware reverse‑engineering. A notable example is the Anatsa case from the previous year, an Android malware family used to siphon bank accounts. SI‑CERT analysed the residential‑proxy infrastructure employed by the criminals; in one incident a Slovenian victim’s funds were moved via a Slovenian IP address that traced back to a Serbian construction worker who had unwittingly joined a proxy network after plugging a cheap HDMI dongle into his TV. Božič planned to showcase a map of such proxy nodes in Slovenia, derived from Shadowserver Foundation data, during the same conference.
Lessons from Complex Incidents
Božič stresses that even organisations with mature response plans, business‑continuity policies, and reliable backups experience chaos during a real incident. SI‑CERT itself can add to the coordination burden when it joins the response table. Resolution proceeds smoothly when the affected organisation already fields a capable internal team; in those scenarios SI‑CERT remains primarily advisory. Problems arise when a company first acknowledges an incident only after it occurs, lacks crisis‑communication readiness, and resorts to denial as media inquiries mount—situations where the truth inevitably surfaces online. Divergent priorities also emerge: management seeks rapid restoration of services, while SI‑CERT aims to understand the entry point, attack vector, and lateral movement. Restoring systems can destroy forensic evidence, and victims often become less willing to share details once operations resume, making follow‑up reports and final documentation the hardest parts for a small team. An illustrative case involved a compromised router where a cooperative administrator gathered evidence remotely, then simply announced that the device had been wiped and rebuilt, eliminating further investigative opportunities.
Budget Pressure, Emerging Regulations, and AI Skepticism
Like many public‑sector cyber units, SI‑CERT must justify its budget each year and lobby for additional resources. The NIS directive, DORA, and the forthcoming CRA obligate member states to fund qualified personnel, compelling SI‑CERT to repeat its business case to new officials after every election cycle. The CRA, slated to take effect in late September, will introduce vulnerability‑handling responsibilities that demand a separate skill set from traditional digital forensics and a multi‑year training plan to build that capacity. Regarding artificial intelligence, Božič remains wary of vendors marketing “automated SOCs” as turnkey solutions. He contends that analysts must still interpret alerts, a skill that develops only through experience and study. He likens the current AI hype to the blockchain enthusiasm of a decade ago—promising broad revolution but eventually settling into niche applications. Božič recalls an EU strategy statement envisioning an AI‑powered network of SOCs as Europe’s cyber shield, yet notes that critical questions about which centres, standards, and specific AI technologies remain unanswered. His consistent message to the private sector is that SI‑CERT exists to assist, guarantees confidentiality, adheres to community standards established since 1989, and requests only the information essential to each case.