TL; DR: Since 2014, Lumen’s Black Lotus Labs has safeguarded customers by tackling DDoS attacks and beyond. Black Lotus Labs leverages visibility from its global network to track, monitor, and block threats from reaching customer assets. The Lumen team recently released DDoS Hyper to accelerate and automate DDoS mitigation to take down attacks quickly. The company has built an extensive threat intelligence platform and is on a mission to defend a clean internet for all.
The evolution of cyberattacks has led to a sophisticated makeover of threats. During the web’s infancy in the 1990s, cyberattacks were a rarity compared to today. It was an outlet for rebel teens and other young people to showcase their skills, try something new and edgy, and test their curiosity. Although this player category still exists, many other threat actors have emerged and since joined the dark web with even darker intentions.
Over the years, cybercriminal groups and nation-states have grown in notoriety, building empires to funnel money and gain access to personal data, then holding it hostage as part of ransomware campaigns and other tactics. These malicious groups continue to innovate and elevate their game as other industries become more aware of their attacks. While malicious actors increase their capabilities, companies such as Lumen have built their own task forces and technologies to combat and safeguard clients from cyberattacks.
“Since 2014, Lumen has been applying security analysis and machine learning visibility to find unique threats and stop them to better protect our own company, our customers, and keep the internet clean,” said Mark Dehus, Director of Threat Intelligence at Lumen.
Lumen, a merger of CenturyLink and Level 3, is a multinational technology company focusing on next-gen innovation, cloud connectivity, global network infrastructure, and security. In 2014, the company launched a cybersecurity team called Black Lotus Labs, formed to defend a clean internet and block digital threats. Its security initiatives help protect its customers’ networks and feed the overall security industry efforts.
“We see this as a general good to help clean up the internet. We have a lot of responsibility to help with that, given our massively global backbone,” said Mark.
Disrupting 150 Command and Control Servers a Month
Lumen’s Black Lotus Labs has matured a lot since its inception, and it has seen various threat actors and impact events since 2014. Today, Black Lotus Labs researches and uncovers new threats from highly sophisticated actors and integrates with Lumen’s robust security capabilities to combat them. But its primary mission is to keep Lumen customers safe from attacks. Lumen has a visibility into threat activity that transits its network using a protocol called NetFlow.
“NetFlow is to the network what call-detail records are to phone companies. It contains information that shows this number called that number but no information about what was exchanged during the call, so privacy is preserved. Seeing which hosts are talking to which hosts helps give insight into what threats are doing on the internet, and enables us to find unique threat infrastructure,” said Mark.
With this insight, the Lumen team can learn how to protect customers better and keep the internet safe. One way it leverages this information is by blocking the most severe threats at its network edges. When Lumen stops a threat across its network, that threat can no longer reach any of its customers and has a more difficult time transmitting across the internet. For some threats, such as those that are also legitimate websites that have been compromised, Lumen empowers its security customers to choose whether to block or allow.
“We enable our managed security services customers to have a choice. They can block all of the threats that Black Lotus Labs recommends, or choose to be more selective based on their risk tolerance,” said Mark.
One example of a severe threat that Lumen puts in its crosshairs to disrupt is command and control (C2) servers, the heart of malicious botnet infrastructure. Black Lotus Labs uses machine learning against its visibility to automatically identify command and control infrastructure of botnets and takes action against them. Blocking them from the network makes it much harder for botnets to successfully operate.
“We disrupt on average 150 command and control servers a month, and each has thousands, in some cases, tens of thousands of bots reporting to them. So blocking even one command and control server creates havoc for the botnet operators,” said Mark.
Launching DDoS Hyper to Mitigate DDoS Attacks in Minutes
Lumen takes DDoS mitigation to the next level with its latest release, DDoS Hyper. DDoS attacks can cause an organization significant losses, as they can completely take down services for hours and even days. Lumen offers mitigation upfront by scrubbing out bad traffic and sending clean traffic through. But Lumen’s DDoS Hyper also greatly accelerates the turnup of its DDoS mitigation service through automation.
“So with DDoS Hyper, we’ve done is that we’ve automated a lot of the turnup and provisioning of DDoS mitigation service, which is something unique within the communications industry,” said Mark.
Customers under attack who do not currently have DDoS protection can order Lumen DDoS Hyper and have their websites or services protected in a matter of minutes. What influenced this development was Lumen customers. Many had called Lumen while under attack, asking for an emergency turnup. So Lumen invested in automation, so customers do not have to wait for a technician to manually turnup the service when they are under attack.
Lumen has also integrated Black Lotus Labs threat data into DDoS Hyper. It comes pre-loaded as countermeasures into the DDoS mitigation platform, which enables the service to automatically block potential sources of DDoS attack traffic.
“So that’s another way that we differentiate our DDoS service and have an impact in the places where we would not cause potential collateral damage,” said Mark.
Contributing to Threat Research to Build Intelligence
Threats have become more sophisticated and their presence more widespread over the years. Similar to AWS services, criminal groups are now running malicious infrastructures that other criminals can lease to launch attacks. Nation-state threats have also grown, with more governments backing hacking activities. As threats become more complicated, Lumen seeks to combat them by becoming more proactive with its threat research.
“Threat research has been around since maybe 2015 or earlier, and it will continue to grow. It’s a way of being proactive about the threats, building intelligence about actors’ motives and how they operate,” said Mark.
Black Lotus Labs has been tracking huge crime organizations, including those that leverage pervasive malware such as Emotet, for years and has collected and contributed to research information on them. Mark said many research groups are limited in their visibility to what they can uncover from just the malware itself. Black Lotus Labs, on the other hand, has its own network telemetry where it can research and collect data on threats including Emotet and other malware families.
“We can see what they’re doing so we can help prepare and inform the industry — as well as other researchers and defenders — to have a good set of knowledge and understanding about what these threats are doing so that they can better defend themselves,” said Mark.
As for what’s next for Lumen, it plans to deepen its investment in Black Lotus Labs and expand its capabilities.
“The company is leaning further into Black Lotus Labs and finding ways that we can use that to both grow capability and enable more impact. We can block things across our network, but we want to continue to empower customers with more choices, so we’re working on integrating that capability into some of our other products,” said Mark.