- Black Lotus is using AI to fight increasing threats from hackers that are also using AI
- Its AI and human teams are tracking about 2.3 million threats every day
- Lumen today announced a new product with Palo Alto Networks
Lumen Technologies has operated a threat intelligence group called Black Lotus Labs since 2019, and these days it’s got more work than ever due to increased threats from AI.
Michelle Lee, senior director of Threat Intelligence at Black Lotus Labs, said AI is helping the attackers. And her colleague Craig D’Abreo, VP of Product Management at Black Lotus, said AI is increasing the sophistication and speed of attacks.
But AI is also helping defenders such as Black Lotus because it can process a massive amount of alerts and events much more efficiently than humans. Agentic security operation center (SOC) agents can parse through data at the speed of computers and push the highest threats immediately to a human analyst.
“Previously, you would have a single SOC analyst that's looking at thousands of events and alerts,” said D’Abreo. “They can miss a lot of things. Those are the type of challenges that most of our customers are facing.”
Lumen offers 24/7 SOC operations with agentic capabilities, and it also offers the unique capability of providing visibility from its own global IP backbone network.
Lee said, “We leverage the global telemetry that occurs across the backbone to understand adversaries' networks. We can discover their points of presence around the world and block that criminal activity.”
When Black Lotus discovers security threats it then takes action to shut down that activity with help from law enforcement, its customers and even other service providers. Black Lotus takes in about 200 billion NetFlow sessions and DNS queries every day, which wouldn’t be possible without the assistance of AI.
“AI and analytics and the teams behind it are tracking about 2.3 million threats every single day,” said D’Abreo.
Lee said, “We've got human intelligence and we've got AI intelligence working together at tremendous scale to detect millions of threats a day automatically. We increasingly think about our AI assets as part of our scale.”
It’s a good thing that Black Lotus is using AI because threat actors are definitely using it, too.
Lee said that increasingly, ransomware actors are targeting edge devices, whether they be a VPN gateway, a mail server or a firewall. Once they gain access to an enterprise’s network via these entry points, they can steal data and use AI to accelerate threats.
In fact, one of the botnets that Black Lotus has been tracking recently takes advantage of Android-based malware. “They infect the Android device, and then they have a point of presence wherever that device goes,” said Lee.
What motivates threat actors?
It might seem as if the motivation for hackers and threat actors is obvious: money.
But Lee said there are several other motivations, as well. She said information stealing is a big motivation. “We’re seeing adversaries not only interested in encrypting a network and holding a company up for ransom, which definitely is alive and well, but we see actors increasingly trading in information on the underground ecosystem.”
Threat actors also like to compete against each other for status. Lee said a large DDoS attack dubbed “Kimwolf” took down gaming sites and other internet infrastructure “for what appears to be clout.”
There are also security threats from nations that want to infiltrate networks for long-term spying. They get a foothold into a network with a “zero-day” attack that exploits a software vulnerability, and no one at the enterprise knows they’re there. Then they can harvest information for years.
New product with Palo Alto Networks
Today, Lumen announced that it’s created a new product with Palo Alto Networks to combine Lumen's managed detection and response capabilities and threat intelligence from Black Lotus Labs with Palo Alto Networks’ software.
“This technology basically integrates all the different telemetry from customers' environments like logs, server information, endpoint information,” said D’Abreo. “We collect all of that, and then we pump in Black Lotus' data. The one thing that they don't get with other service providers is the Black Lotus Labs' threat intelligence, because we're taking all of that data from our network and then pumping it into the solution, so it enriches our analysts' events and alerts that they see for better detection and response.”
Black Lotus also works with security software from other companies such as Microsoft and AWS.
More about Black Lotus Labs:
A single telecom accounted for 20% of DDoS attacks in Q1, Lumen finds