Cyber defenders need to remember their adversaries are human, says Trellix research head

Cybersecurity professionals must remember they are fighting real people, not abstract threats, and recognise the increasingly blurred lines between cybercriminals and nation-states.

This was the message from John Fokker, head of threat intelligence at Trellix Advanced Research Center, during his RSA Conference 2025 keynote. Drawing on his background as a former Dutch high-tech crime unit officer, Fokker stressed the human element. "So often we forget that these cyber criminals are real people," he said. "It's tempting to anonymize threats ... but really they're just bad people, regular names sitting behind a keyboard."

Fokker, whose Trellix team provides threat intelligence to critical sectors, cautioned against over-focusing on advanced attacker tech. "A cybercriminal will always prefer a victim with weak passwords, bad patching and no MFA," he noted from experience.

A key theme was the convergence of financially motivated crime and state agendas. "In the past, you had very clear lanes of demarcation," Fokker explained. "Now those lines have blurred. Nation states are using proxies ... using cyber criminals ... causing disruption and stealing data."

He illustrated this with an investigation into the Black Basta ransomware group, leveraging leaked internal chats that revealed the group's leader, "Oleg" (formerly "Tramp" in the Conti group), and a concerning incident. "Last year, Oleg... flew from Moscow to Armenia. However, he was arrested upon arrival,” said Fokker. “Three days later, he escaped custody, and he was back in Russia."

According to the chats, Fokker said: "Oleg claimed government officials flew to Armenia to ensure he was escorted back safely," referencing a "green corridor" escape route allegedly arranged by a high-level official known as "number one." While these chat claims are unproven, Fokker asserted, "this story is just one example of the blurring lines between nation states and cyber criminals".

Despite potential state backing, attackers are fallible. Fokker described a Black Basta attack on a US healthcare firm where their encryption tool failed. "They made a major mistake," he said, which forced them to pivot to data leak threats after their primary extortion method failed.

Fokker championed collaborative intelligence sharing as the crucial defence. By mapping attackers' tactics, techniques, and procedures (TTPs) – the hardest elements for them to change – the security community can maintain detection even post-rebranding. "Once we know how they operate at the TTP level, we can spot them the moment they launch the next offensive, and that's where we hold the real power," he declared.

He concluded with a call for unity: "When you see your adversary... in clear daylight, fear melts away... Let's keep building, keep collaborating... because when we work as one community, there is no question we will reach the top."