Meet John Fokker
Head of Cyber Investigations for Trellix Threat Labs
By Michael Alicea · April 28, 2022
At Trellix, we celebrate and champion our people. This week, I sat down with John Fokker, Head of Cyber Investigations for Trellix Threat Labs and one of the leading cybersecurity experts in the world to ask for a "window into his world."
MICHAEL: Thanks for joining us today, John. I know how critical your role is and appreciate you taking a few minutes to speak with me.
JOHN: Thanks, Michael. Great to be here.
MICHAEL: Let’s start at the beginning. What drew you to cybersecurity?
JOHN: So, I was in the Royal Netherlands Marine Corps, and I did that for almost eight years, including five years within the maritime Special Operation Forces, specializing in counterterrorism. After that I was a supervisor at the National High Tech Crime Unit (NHTCU), the Dutch national police unit that investigates advanced forms of cybercrime.
MICHAEL: That’s impressive.
JOHN: I ran an intelligence team and we arrested ransomware criminals, all kinds of things. Although the Netherlands is a small country, it’s also a major international hub for web hosting and internet infrastructure. Which also makes it a perfect location for the Trellix Threat Labs.
MICHAEL: Before Trellix, you served as Head of Cyber Investigations for McAfee Enterprise’s Advanced Threat Research team. Do I have that right?
JOHN: Yes. You’re correct.
MICHAEL: So, you’ve supervised…what is it: hundreds or thousands…of large-scale cybercrime investigations and takedowns?
JOHN: Well (laughing)…I don’t know if it is thousands. Depends how you define these groups.
MICHAEL: Take us into your world. What does it feel like to be John Fokker every day?
JOHN: Sure. So, we collect all this information. Then we analyze – or enrich it, if you will – and send it out to our Trellix product teams as well as to our industry partners in international law enforcement. We work closely with these groups. We are the frontlines of the risk they manage. We are their eyes and ears.
MICHAEL: So, the work you do doesn’t just benefit Trellix customers. It sounds like you share intelligence and analysis with many other organizations active on the frontlines of cybersecurity worldwide?
JOHN: Yes, in general, that’s right. Our job is to protect Trellix customers. But when we have information that will help others in our community, we get this information into their hands. And vice versa, I should add. The enemy of my enemy is my friend, or something like that.
MICHAEL: That sounds like a civic duty that extends beyond Trellix, is that fair?
JOHN: It is. We view our role as an honorable and noble one. So, we’re sharing and interacting almost every day with dozens of countries and international groups across the world. Agencies like the Europol, the FBI and NSA, the Cybersecurity and Infrastructure Security Agency (CISA), Australia’s Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK). In addition to the U.S., U.K. and Australia, we’re also in close communication with the Dutch, Germans, and French, for example, and sometimes others like the Japanese and even our Romanian law enforcement.
MICHAEL: Your daily work environment sounds pretty intense.
JOHN: Perhaps. That’s a question of perspective, I think. Yes, our Threat Labs team tends to work almost around the clock. Our job is to stay ahead of attacks by using intelligence to predict and prevent them. I'm not a boss or director who can punch out at 5:00 p.m. My team is my world. Especially since the war in Ukraine started, it’s vital that I have a good connection with them, so we often get down in the trenches together, all hands on board, to get our job done.
MICHAEL: What do you worry about? What keeps you up at night?“If anything keeps me up at night, it’s finding these cyber criminals. Getting up close. Really close to what they’re doing. So close they can feel my breath on the back of their neck. I want them to be the ones who can’t sleep at night, because they’re thinking about me.”
JOHN: Well, I don’t spend too much time worrying. I’m very confident in our team because we don’t take anything for granted. We’re constantly thinking, “OK, how can we get ahead of everyone else?”. If anything keeps me up at night, it’s finding cyber criminals. Getting up close. Really close to what they’re doing. So close they can feel my breath on the back of their neck. I want them to be the ones who can’t sleep at night, because they’re thinking about me.
MICHAEL: What do you think has been your biggest success?
JOHN: That’s a hard question. I’ve helped dismantle some of the largest ransomeware gangs in the world, but I would have to say I’m most proud about helping to found the organization No More Ransom.
MICHAEL: Isn’t that a global collective between the public and private sectors aimed at helping victims of ransomware?
JOHN: Yes. When I was still with the Dutch police, we came across a ransomware server that hosted keys. We seized that machine and then worked with the private sector to build a decrypter. That simple concept gave birth to a platform which has saved almost a billion dollars. Basically, we have brought the public sector and the private sector together, offering a solution for free to the world. So that's one of the things I'm super proud of to be a part of.
MICHAEL: That’s sounds enormously rewarding.
JOHN: It is. Every single person that we help makes the effort worthwhile. The results are amazing. Often if you work in security, you do a lot of things, you apply a lot of countermeasures, but you don't see the direct result. There was a case I always remember from years back - somebody lost his PhD thesis. Then, obviously, through a decryptor from No More Ransom, he was able to retrieve his work and continue his studies. I was astonished, and thought to myself, “OK, this is why I do this job.”
MICHAEL: Some of your work is underground, isn’t it?
JOHN: Sometimes, yes. We visit cyber criminal meeting spots chat rooms or forums. And we hang out quietly, looking at what's being offered, studying the hierarchical structure, analyzing any new pieces of malware being offered.
MICHAEL: You’re sort of like a hunter. Does that carry risks for you? Are you known personally to the more prominent malicious actors in the world?
JOHN: Well, my name pops up on certain forums once in a while, and I've had small altercations on Twitter with individuals, so yes. Not as much as Brian Krebs (laughing), but my name has popped up here and there, yes.
MICHAEL: Let’s switch gears now. Tell us what you do for fun. Where do you go on vacation?
JOHN: I go skiing frequently. I'm very fortunate that in my professional life, I get to travel. I get to work with teams across the globe and I get to experience many other cultures. Like anyone in security, I'm confronted with a lot of bad people trying to harm others. For this reason, I love to go out and experience beauty in the world. That helps me balance things out.
MICHAEL: Just out of curiosity, what kind of car do you drive? I imagine you in either a brand-new Lizard Green Porsche GT3 or an entirely self-effacing 10-year-old grey second-hand Volvo.
JOHN: (Laughing) You’re completely wrong on both counts. I don't have a car. I live in the center of Amsterdam, where cars are discouraged. I know that’s difficult for an American to understand. And besides, I'm Dutch: I’ve got a bike.
MICHAEL: What about your dreams? If you could be anyone in the world – no rules – who would that be?
JOHN: I love this question. Let me think…I’m a big fan of music. So, I’m going to go with Motörhead. I would be Lemmy Kilmister from Motörhead, shredding it in front of thousands of heavy metal fans like myself every night.
MICHAEL: Who were your other heroes growing up?
JOHN: Arnold Schwarzenegger. And even though I'm not a basketball fan: Michael Jordan. You can add Spider-Man to the list.
MICHAEL: What about today? Who are your heroes now? Any thought leaders or visionaries come to mind?
JOHN: Absolutely. I like to read a lot about Stoicism, a school of Hellenistic philosophy. So, I would say Marcus Aurelius. I’m also reading a terrific book by General Stanley McChrystal now, Team of Teams. It’s very pertinent to what we’re doing at Trellix right now.
MICHAEL: That’s quite a range. From the gates of Troy to the frontlines at Trellix. Speaking of which, why ARE you here? What’s so special about Trellix?
JOHN: I stay at Trellix because I see a tremendous opportunity for us as a company. Just look at our portfolio. We’re distinctly different than other cybersecurity players. Look at how many market through fear, for example. Not us. What is important is that our customers are trusting us for their security. Our end goal is that they can grow their own business in whatever way or form they like. It’s my job to go into the dark places, find out what is going on, and hunt these people down.
MICHAEL: It’s about protection, not fear.
JOHN: Exactly. Protecting is about building security and living that security and being adaptive. So that's why the notion of Trellix as a trellis supporting them is such a powerful, symbolic structure. That is what helps our customers succeed. They'll never understand the threat landscape as we do, because our entire lives are dedicated to that. But that's why they called us. That’s why I’m at Trellix.
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.