Online fraud complaints, ransomware cases, and phishing tips reach Slovenia’s national cyber response center in steady volume, and a team of around a dozen analysts sorts through them. Gorazd Božič, who manages SI-CERT at the public agency ARNES, described that work in an interview conducted in person at the Span Cyber Security Arena conference. He put the original proposal for a Slovenian CERT to ARNES leadership in 1994, and the center now records about 6,000 incidents a year, up from roughly 300 ten to fifteen years earlier.
How incidents get sorted
SI-CERT runs three triage lines. One handles routine reports, mostly online fraud where someone has lost money or encountered a scam attempt. These follow a linear path, with the team sending advice on options such as contacting the police or filing a complaint with a bank. A second line covers more serious incidents that need a senior analyst to weigh the technical details, decide which tools and logs matter, and coordinate with the reporter and other parties. A third line handles phishing reports on its own. The team began with one workflow for everything and split it into three lines as the workload grew, which let them streamline processing.
Each case gets classified with the ENISA reference taxonomy for security incidents, adapted with extra subcategories. Analysts label the incident type, such as denial of service, a compromised unprivileged account, or ransomware, record the victim’s sector, and add free-form tags that feed the center’s statistics.
A public-sector team that grew slowly
Božič put the original proposal to the director of Slovenia’s academic and research network in 1994, and SI-CERT became a department inside that public agency. Croatia took a similar route with CARNET. The team started with three people who each knew everything and specialized as it grew, adding staff for malware analysis, digital forensics, and threat intelligence. It remains small, with about 13 people aiming to reach 15 this year, and everyone works on the CERT as a paid, permanent role.
Earning the private sector’s trust
Through the 1990s and 2000s, governments paid little attention to CERTs, so the center had to prove its value to private companies on its own. A turning point came around 2012 during a Cyber Europe exercise built around attacks on banks. The ministry invited several banks, and the banks learned that SI-CERT could take over tasks such as phishing site takedowns, work they lacked the capacity and know-how to do themselves. The banking sector came around, and the energy and telecommunications sectors followed based on their maturity. The NIS and NIS2 directives now require entities deemed essential or important to report incidents, and Božič prefers to stress the help the center provides over the legal mandate.
He recalled a visit to a Slovenian power plant where staff asked how SI-CERT could help without knowing their SCADA and operational technology systems. His answer turned on a common entry point: many attacks on a plant begin with an infected Windows system that controls it. He asked how many malware analysts the plant kept on staff and guessed the number was zero, since keeping one on standby for years rarely pays off for a single company.
Government funding lets SI-CERT maintain a malware analysis lab and hand the plant a report it can use to judge the effect on its own systems. Božič said the center’s role still gets misread as an inspectorate or a branch of law enforcement, and closing that gap remains ongoing work.
Working alongside the police
SI-CERT and Slovenian law enforcement first worked a case together in 1998. Cooperation runs smoothly now, after early friction over roles and turf. The police run a strong digital forensics unit and excel at mobile device work, and they turn to SI-CERT for deep network knowledge, things like tracing IPv6 traffic or sifting passive DNS records, along with malware analysis.
Božič pointed to the Anatsa case from last year, an Android malware family used to drain bank accounts, where SI-CERT analyzed the residential proxy side. In one instance a Slovenian victim lost the money in a bank account, and a Slovenian IP address appeared to log in and move the funds. A dawn house search turned up a surprised Serbian construction worker with no IT background. He had bought a 10-euro HDMI dongle from a man in a Trieste cafe, plugged it in to watch football channels, and unknowingly joined a residential proxy network that criminals rent. Božič planned to present a map of such proxies in Slovenia, drawn from Shadowserver Foundation data, later that day.
Lessons from messy incidents
Every hard incident carries an element of chaos, even at organizations with response plans, business continuity policies, and working backups. SI-CERT itself adds to the coordination load as one more party at the table. Resolution goes smoothly when a capable local team is in place, and in those cases the center stays in an advisory role. Trouble comes when a company first considers an incident only after one hits, lacks crisis PR, and reaches for denial as reporters begin calling. He added that the truth comes out on the internet.
He described differing motivations during response. Management wants systems running again quickly, and the center wants to understand the entry point, the attack vector, and how it spread. Bringing systems back can destroy evidence, and a victim’s willingness to share tends to drop once operations recover. Follow-ups, the final reports, and the last pieces of information are the hard parts for a small team. In one router compromise, a cooperative administrator agreed to collect evidence remotely, then sent a short message saying he had wiped and rebuilt the machine.
Budget pressure and AI claims
SI-CERT justifies its budget each year and presses for more. The NIS directive, DORA, and the CRA direct member states to fund qualified staff, and in practice the center repeats its case to new officials after every election cycle. The CRA begins to apply in late September, with further provisions following, and it adds vulnerability handling duties that call for a separate group with skills distinct from digital forensics and a multi-year plan to train them.
On AI, Božič is skeptical of vendors selling automated security operations centers as a finished product. An analyst still needs to understand what an alert means, and building that knowledge takes time.
He compared the current hype to blockchain a decade ago, which promised to solve broad problems and settled into a narrower role. He recalled an EU strategy line about an AI-powered network of security operations centers serving as Europe’s cyber shield, and his questions about which centers, which standards, and which AI went unanswered. His message to the private sector stayed steady throughout: the CERT exists to help, keeps information confidential, follows community standards in place since 1989, and asks only for the information a case requires.
Download: Simplify security management with CIS SecureSuite Platform
Leave A Comment