The EU project INTERCEPT brings numerous advantages by enhancing collaboration and information sharing through the Threat Sharing Platform (TSP). As part of this collaborative ecosystem, national cybersecurity institutions also play an important role. The Slovenian Computer Emergency Response Team (SI-CERT), active in the international cybersecurity community for over 30 years, contributes significantly to this effort as an active consortium partner.
With more than a decade of experience exchanging cyber threat intelligence (CTI) via the Malware Information Sharing Platform (MISP), SI-CERT ensures that data collected by local SOC teams through TSP can be disseminated further and used to protect a broader network of connected organizations.
In practice, this means that threats observed in Slovenia do not remain isolated but become part of a shared cyber landscape. This collective visibility allows INTERCEPT partners to detect threats more precisely and respond more swiftly. SI-CERT, as the coordinator of Slovenia’s MISP node, maintains a culture of trust and solidarity in threat sharing, while TSP provides a secure, anonymized and traceable channel through which local observations are transformed into actionable intelligence ready for distribution.
What Makes the Threat Sharing Platform Essential for Secure Cyber Exchange
TSP acts as a secure intermediary between internal data sources and the threat-sharing community. Its primary benefit lies in data anonymization and minimization: personally identifiable information, sensitive business details, and internal infrastructure identifiers are systematically removed or pseudonymized before sharing, preserving the operational value of indicators. This enables organizations to share technical signs of malicious activity and descriptions of attacker behaviour without revealing victim identities, internal IP addresses, email addresses, or other sensitive information.
The Threat Sharing Platform also improves the quality and usability of the information it receives. It brings data from different sources into a consistent format so everything can be compared and understood in the same way. The platform adds useful labels — such as how sensitive the information is, how much it can be shared, how trustworthy it is, and where it came from. This helps remove duplicates, reduce noise, and highlight what is most relevant.
Once the data is cleaned and organized, the platform automatically converts it into a format that security tools can immediately use. This means the information can be sent straight into systems like security monitoring dashboards, endpoint protection tools, or intrusion detection systems without additional manual work. Equally important is TSP’s governance of sharing and compliance. Granular distribution rules, audit trails, indicator lifecycle management, and time-limited retention ensure that sharing is Equally important is TSP’s governance of sharing and compliance. Granular distribution rules, audit trails, indicator lifecycle management, and time-limited retention ensure that sharing is proportionate, lawful, and verifiable. In sectors with heightened privacy or confidentiality requirements, TSP acts as a safety valve – enabling “as much as needed, no more than that” – and opens doors to collaboration where hesitation previously prevailed.
Data Flow Between TSP and MISP
The data flow from TSP to MISP follows a clear and traceable path: capture and anonymization in TSP, normalization and enrichment, automatic mapping into MISP structures, and distribution based on predefined sharing levels. TSP ensures that metadata capable of identifying the source is trimmed or replaced with pseudonyms, while retaining enough context (timelines, attribute links, campaigns) for effective defence. When correlations are detected with existing events, feedback is returned via sightings and quality metrics to TSP, reinforcing and refining the shared knowledge.
This bidirectional integration enables rapid transition from observation to action. Indicators marked for blocking are directly translated into policies on firewalls, email gateways, and web proxies; indicators and TTPs marked for monitoring are converted into hunting queries and alert mechanisms in SIEM and EDR. False positives or outdated indicators are returned by partners, enabling cleanup and reducing operational overhead.
International MISP cooperation through SI-CERT
SI-CERT’s international cooperation through the MISP platform serves as a central hub for sharing cyber threat information. Through connections with the ENISA CSIRTs Network, CIRCL, CERT-EU, EATM-CERT, and the global FIRST community, SI-CERT both receives and contributes up-to-date threat indicators, attacker methods, and analyses. This shared intelligence strengthens investigations, accelerates detection, and improves response across Slovenia.
Automated cross-border sharing provides verified information faster than many commercial sources, enabling immediate correlation in security tools and early blocking of malicious infrastructure. The exchange is also two-way: Slovenian organizations can contribute their own findings, add context, and help reveal how individual incidents fit into larger attack campaigns.
The global MISP community, in turn, enhances local resilience by giving SI-CERT and administrators a broader view of emerging threats. Together, these efforts show that open, timely sharing remains one of the most effective defences against attacks that ignore national boundaries.
Real Impact in Everyday Incidents
The Threat Sharing Platform and MISP prove their value in real cyber events. In phishing cases, the platform extracts key technical details, removes victim data, and quickly sends indicators to partners for fast blocking and awareness.
In ransomware campaigns, early signs of attacker infrastructure can be shared safely, helping organizations run focused hunting queries and shorten detection time. For DDoS attacks – where attackers overwhelm services with massive amounts of traffic to make them unavailable – the platform aggregates telemetry from multiple providers, removes customer details, and shares standardized data that enables coordinated filtering and faster mitigation. It also supports supply chain cases by sharing prioritized exposure lists and observed exploitation attempts. Even in financial fraud and business email compromise, it protects victim identities while providing the indicators banks and companies need for proactive defence.
Across all scenarios, the outcome is the same: anonymized, timely intelligence helps organizations detect and respond faster.
INTERCEPT turns information into protection
By transforming local observations into trusted, anonymized intelligence, INTERCEPT enables faster detection, smarter response, and coordinated defence. What once stayed within individual organisations now strengthens an entire community
Follow INTERCEPT journey on Digital media platforms