Jim Jaeger, chief cyber services strategist with Fidelis Cybersecurity (recently part of General Dynamics), has been on the ground with a number of major enterprises that have suffered a high profile breach.When the Fidelis Cybersecurity team were called in to investigate the Global Payments breach six years after the TJX breach, credit cards were being encrypted throughout the process; however, "there is a brief flash of a second where you decrypt and re-encrypt the data and it's not written in a file. It occurs in a second," Jaeger said. \u00a0That second was all the criminals needed.[ PART 1: Lessons learned in the aftermath of a breach ]"There is a class of network tools called scrapers or RAM scrapers targeting the processing for random access memory in a computer, not collecting the data in transit," said Jaeger, and that\u2019s what happened with the second\u00a0breach.\u00a0Coverage of the breach went on for months with updates of the increasing number of credit cards that had been compromised. The problem was that the first forensics team only found half the breach. \u201cThey found one set of malware and blocked that activity, but didn\u2019t find the other package of malware,\u201d Jaeger said.Two months later, credit card companies were again seeing indications that the breach was still ongoing. Within six hours of being brought in, Jaeger\u2019s team found the second breach. \u201cWe understood scrapers and reverse engineered the malware and determined that the hackers were only taking about one in five cards being processed,\u201d Jaeger said.A scraper, if running wide open, will essentially double the work load of the server, Jaeger explained. For every legitimate transaction, the scraper is running a duplicate copy and exfiltrating it, thereby doubling the workload of the server.\u00a0One of the worst things a company can do when they announce a breach is to have to go back out and announce it\u2019s a bigger pattern than they originally thought. Organizations really need to understand the capabilities and limitations of the incident response teams that they use. These two examples lost tens of millions of dollars because they were using the wrong forensics teams.How do you know if you\u2019re choosing the right forensics teams? They are incident response experts. \u201cTalk to companies in your industry in particular companies that have had breaches. They can give you the pros and cons of the team they used.Security teams need to be aware of the risks and the on-going changes to the threat landscape. \u201cRansom, for example, was mostly a problem for small business or private individuals, but we are seeing an increase. Criminals are starting to move up the food chain and getting more medium sized businesses now,\u201d Jaeger said.One of the trends that is most concerning is the proliferation of destructive\/disruptive attacks.Jaeger noted, \u201cI\u2019m not sure we have done much to advance information sharing. What isn\u2019t working is the sharing of trends and results. The analytic trend is not being shared effectively. With that too, there is some good sharing being done in the financial industry, not so much in retail.\u00a0For those who are new to security and attending RSA this week, take advantage of this opportunity to learn and network. Continue to develop your skills and advance your education by getting involved in cyber competitions, and learn more at the Cybersecurity Education and Workforce Development for the Nation, Feb. 29 from 4 p.m.\u00a0 to 5 p.m..