Unraveling DXP and DLP: Halcyon’s Data Extortion Defense

Why Data Protection Matters More Than Ever

Every organization in operation today lives or dies on data. Whether it’s a small retail business or a billion-dollar social media empire, they all share the commonality of data dependency. Alongside that dependence comes risk, and with risk the need to safeguard intellectual property, Personally Identifiable Information (PII), operational insights, metrics, internal financial records and stored backups. Although various types of malware pose a serious threat to data, the risk of ransomware encrypting your files and holdingthem hostage is the threat you can’t afford to ignore.

Data extortion adds an extra dimension to the threat of ransomware as these stolen files are used to blackmail organizations, placing their reputation and compliance adherence on the line. Investing in a solid DLP solution can help address double extortion-based attacks. But just how effective is this approach, and is there potentially a better solution to the problem?

So, What Actually Is DLP?

Data Loss Prevention tools or DLP, are meant to address multiple concerns: what data needs protection, where it’s going, how it’s used, and ensures the configured rules are followed to keep it safe. DLP serves to solve the following use cases:

• Preventing data theft by outside threat actors who manage to gain access

• Managing and controlling information shared outside the organization through apps, APIs or with partners

• Protecting data when it’s being transmitted and when it’s stored

But an argument can also be made that DLP’s primary mission in most organizations is to safeguard against insider threats. Commonly, insider threats fall into any of the following categories:

• Compromised internal employees or socially engineered insiders

• Insiders with legitimate access but malicious intent

• Accidental data leakage due to negligence or mishandling of data

• Retribution against employment termination

Since anyone can fall into one or more of these categories, organizations lean heavily on DLP to discover and prevent insider threats. Ransomware threat actors know that DLP tools are heavily focused on insider threats, and use that to their advantage.

Solving For the Symptom and Not the Condition

DLP isn’t without its blind spots, and this is exactly where ransomware threat actors hope to take advantage of an organization’s own defenses. We’ll focus on a few of the most common issues seen inside organizations with DLP.

Blind to Endpoint Manipulation

Ransomware threat actors will often start with disabling endpoint agent protection, which can include DLP agents hosted at the local endpoint. Bypassing or disabling the agent, using unmonitored ports or using obfuscation techniques like renaming file extensions, creates difficulty for DLP agents to track changes or even noticing exfiltration attempts.

Limited Visibility into Encrypted Channels

Like the saying goes, you don’t know what you don’t know, and threat actors make every effort to mask their exfiltration. Many DLP solutions cannot inspect or block exfiltrated data that is either already encrypted or passed through secure channels. In this case, encrypted traffic could be passed asSSL/TLS traffic, via VPN, through secure messaging apps or even file sync tools with end-to-end encryption such as Dropbox with Zero-Knowledge Encryption. Campaigns like AsyncRAT are taking advantage of obfuscated payloads and legitimate infrastructure to slip past endpoint defenses like DLP to exfiltrate data. While DLP could potentially see where the data is going, it won’t see what it is or what’s in it.

Configuration and Data Types

Traditional DLP solutions often fall short against ransomware extortion because they rely on complicated, static configurations and setups that can’t keep up with all the different types of data being targeted like backups, source code, or sensitive metadata. They usually miss activity across cloud services, endpoints, and hidden channels, either flooding teams with false alarms or completely missing real threats. Without flexible, context-aware policies and wide coverage, and the time to continuously tune these, DLP ends up either too noisy to be useful or too blind to catch the real risks.

Delayed Detection

While alert fatigue is a genuine challenge, delayed detection and slow notifications can lead to far greater consequences. There is often a gap between the detection of exfiltration incidents and the actual notification time. This gives threat actors ample opportunity to move large amounts of data quickly either as encrypted or compressed data. Further, threat actors with system or administrative access may also delete or encrypt log data to cover their tracks long before a security team is aware of the breach.

So, What Is DXP

Halcyon Data Exfiltration Protection or DXP is designed to directly address the double extortion problem. While DLP looks broadly at all forms of data movements, DXP focuses primarily on the data exfiltration seen exclusively with ransomware double extortion techniques. DXP uniquely focuses on the following:

• Ransomware-tuned behavioral anomaly detection for outbound data flows

• Automated threshold-based exfiltration discovery and detection

• Halcyon Ransomware Detection & Recovery rapid response and escalation

DXP functionality is critical due to the nature of proactive targeting of the ransomware-specific threat of double-extortion with real-time behavioral detection, automated disruption, and integrated recovery. Specialized AI-drive insights, rapid response and decryption capabilities designed to counter ransomware double-extortion based attacks further create a separation between DXP and DLP.

Closing the Extortion Gap Left by Traditional DLP

DXP revolves around three main areas of coverage, isolating what DLP can miss. These methods span the gaps commonly seen in DLP solutions.

Nefarious Peer Detection

Since threat actors often utilize exfiltration methods, network awareness is critical to identify those attempts. Halcyon uses zero-config behavioral-driven detection to identify suspicious data moved via cloud tunneling, FTP/SFTP, unauthorized file-sharing services, and malicious C2 infrastructure.

Volumetric Detection

Exfiltration attempts can often be subtle; data is transported slowly or all at once. Halcyon can identify these movements by targeting the volume of data being moved across your infrastructure. The detection process can serve as a key early indicator of potential threat actor data movements and is customizable to fit your threshold caps.

Expert-Led Investigation

Working together with our AI engine is our Ransomware Detection and Recovery team operating on a 24/7/365 schedule included in the Halcyon platform. RDR serves as your in-house ransomware team to swiftly alert on exfiltration activity and deliver rapid response and decryption capabilities. Our expertise ensures timely detection and eliminates gaps in knowledge or response.

Redefining Exfiltration Detection

Whether your business is large or small, guarding your data has become more crucial than ever. Double-extortion attacks are designed to ensure payment but can also cost immense reputational damage and compliance fines. These attacks present unique challenges that require a solution specifically designed for today’s sophisticated ransomware landscape. Halcyon’s DXP is built to out wit double-extortion schemes that standard DLP wasn’t designed to detect. Ready to strengthen your defense against ransomware’s ever evolving threats? Request a free demo and modernize your solution to data protection.

‍