The MDBR service is a no-cost service available from the Center for Internet Security, Inc. (CIS^®), in partnership with Akamai, for U.S.-based hospitals and healthcare organizations. MDBR technology prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain.

Akamai is our selected DNS vendor for the MDBR service. Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics and, 24/7/365 monitoring. Visit www.akamai.com for more information.

MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats.

Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses (primary and secondary), every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains such as those associated with malware, phishing, and ransomware, among other threats, will be blocked and logged. Accepted and blocked DNS request logs will be stored for a period of 30 days.

CIS will provide weekly reporting to each participating entity related to both accepted and blocked requests and assist in remediation, if needed.

Enterprise Threat Protector (ETP) is Akamai’s carrier-grade recursive DNS service that is integrated into the MDBR service. ETP is built on the global Akamai Intelligent Edge Platform and is a quick-to-configure, easy-to-deploy Secure Web Gateway (SWG) that requires no hardware to be installed and maintained.

ETP has multiple layers of protection that leverage real-time Akamai Cloud Security Intelligence and multiple static and dynamic malware-detection engines to proactively identify and block targeted threats such as malware, ransomware, phishing, and DNS-based data exfiltration. Every requested domain is checked against Akamai’s real-time threat intelligence, and requests to identified malicious domains are automatically blocked.

This intelligence is built on data gathered 24/7 from the Akamai Intelligent Edge Platform, which manages up to 30% of global web traffic and delivers up to 2.2 trillion DNS queries daily. Akamai’s intelligence is enhanced with hundreds of external threat feeds, and the combined data set is continuously analyzed and curated using advanced behavioral analysis techniques, machine learning, and proprietary algorithms. As new threats are identified, they are immediately added to the Enterprise Threat Protector service, delivering real-time protection.

The MDBR service is offered at no-cost for the following U.S.-based hospitals and healthcare organizations:

1. independent hospitals not operated by a state, local, tribal or territorial governmental entity;
2. multi-hospital systems;
3. hospital-based integrated health systems, meaning an organization, consisting of one or more hospitals plus at least one or more group of physicians, that provides comprehensive continuum of care and that are connected to each other through joint ownership or joint management;
4. post-acute patient care facilities; and
5. psychiatric, rehabilitation or other specialty hospitals.

Public hospitals and other healthcare organizations in the U.S. operated by a state, local, tribal, or territorial governmental entity are also eligible to receive the MDBR service through membership in the Multi-State Information Sharing and Analysis Center (MS-ISAC). MS-ISAC members receive access to the MDBR service, along with a variety of other cybersecurity products and services, at no-cost. Eligible organizations can learn more at https://www.cisecurity.org/ms-isac/.

The MDBR service is similar to other services, such as Cisco Umbrella and Quad9, in that they all block malicious outbound DNS requests. The main differences come down to threat intelligence, logging of DNS look ups, reporting, and the ability to log into a customer portal. While Quad9 offers no logging or reporting capability, most other commercial offerings include these capabilities with the paid version of their service. In most cases, vendors also have a no-cost option that does not offer logging or reporting capabilities. In the case of commercial offerings from Cisco, Akamai, and Cloudflare, customers also have the ability to log into a portal to generate reports and administer the service.

With MDBR, CIS provides weekly reporting related to the blocks that have occurred. Although MDBR users will receive reports from CIS, they will not have the ability to directly log into the Akamai portal, or download logs directly from Akamai. These additional features will be available as a for-fee option from Akamai.

The majority of the threat data in Akamai’s Cloud Security Intelligence comes from data collected on the Akamai platform. Akamai delivers and protects around a third of global web traffic, and resolves 2/3 of the world’s DNS queries daily. This gives Akamai an unprecedented view of the threat landscape. They augment their data with a few third-party threat intelligence feeds and public information, such as WHOIS and domain registration details. All of this data is analyzed using proprietary algorithms that can quickly identify malicious domains contained in this large volume of data. Additionally, the Akamai threat research team further analyzes the data sets, as there are certain types of threats that an automated machine learning process will not easily detect.

Integrating the MDBR service into your environment is very straightforward and should only take a few minutes to complete. The only requirement to integrate the service is to configure your organization’s local forwarders to send DNS inquiries to Akamai’s primary and secondary recursive DNS servers.

For any post-approval changes to your MDBR account, please submit your changes to the following email address:

• For technical changes, IP address range, etc.: [email protected]
• For address or personnel changes (phone numbers, emails, etc.): [email protected]

Please reach out to [email protected] with any additional questions about the service.

Please reach out to [email protected] for technical questions.

The following U.S.-based hospitals and healthcare organizations can register for the MDBR service at https://hospital-mdbr.cisecurity.org/:

1. independent hospitals not operated by a state, local, tribal or territorial governmental entity;
2. multi-hospital systems;
3. hospital-based integrated health systems, meaning an organization, consisting of one or more hospitals plus at least one or more group of physicians, that provides comprehensive continuum of care and that are connected to each other through joint ownership or joint management;
4. post-acute patient care facilities; and
5. psychiatric, rehabilitation or other specialty hospitals.

Public hospitals in the U.S. operated by a state, local, tribal, or territorial governmental entity are eligible to receive the MDBR service at no-cost through membership in the Multi-State Information Sharing and Analysis Center (MS-ISAC). MS-ISAC members receive access to the MDBR service, along with a variety of other cybersecurity products and services, at no-cost through membership. Eligible organizations can learn more about the MS-ISAC at https://www.cisecurity.org/ms-isac/ and can register for MDBR at https://mdbr.cisecurity.org.

The MDBR service is available starting on February 16, 2021. For public U.S. hospitals, MDBR is being offered through the Multi-State Information Sharing and Analysis Center (MS-ISAC) as a no-cost service through September 23, 2023. For private U.S. hospitals, MDBR is being offered through CIS as a no-cost services through December 31, 2022, after which, the service will transition to a fee-based offering. More information to come in the near future.

The link to complete your registration process will expire in 24 hours. If your onboarding form is not completed before this time period expires, you will have to restart the registration process.

The link for your organization’s primary contact to review and approve your registration will expire in 72 hours. If your onboarding form and the MDBR Terms and Conditions are not approved before this time period expires, you will have to restart the registration process.

During the registration process, we ask if your organization provides DNS resolution services to other organizations in order to help us better understand how widely the MDBR service is being utilized. If your organization provides DNS resolution to other organizations, those other organizations would also receive the malicious domain blocking benefits of MDBR, without having to sign up for the service directly. Please note that if you indicate you provide DNS resolution services to other organizations, we will reach out to you directly to request a list of those organizations in order to accurately update our records.

The Terms and Conditions for our MDBR service are available at https://www.cisecurity.org/terms-and-conditions-table-of-contents/mdbr-hospital-terms/.

For U.S.-based public hospitals or other healthcare organizations associated with a state, local, tribal, or territorial governmental entity, that are receiving their MDBR service through MS-ISAC membership, the applicable Terms and Conditions for our MDBR service can be found at https://www.cisecurity.org/terms-and-conditions-table-of-contents/mdbr-terms/.

This error means that the IP or CIDR information provided is likely not in the proper format. Please confirm that the IP or CIDR block is properly formatted and resubmit the form.

CIS will provide weekly reporting to each participating entity that includes information related to both blocked and accepted requests and assist in remediation, if needed.

In some cases, organizations that have network perimeter security devices, such as firewalls and web proxies, have been found to make outbound DNS requests for malicious domains which do not originate from compromised systems. This occurs due to these devices proactively making DNS requests related to malicious domains on the device’s block list. This activity has the ability to create false positives within the MDBR service.

If your perimeter devices have the capability to proactively update malicious block lists, it is recommended that DNS requests originating from those particular devices be directed to another DNS provider and not be sent to Akamai.

Please reach out to [email protected] for more information or if you have any questions.

DoH is not currently supported by Akamai, but it is something they plan to support in the future. We will keep users updated with new information on DoH support, as we receive it.

The timestamp for the DNS request, the location it comes from (including the NAT IP address of the internet connection), the category and classification of the event, and the domain requested is the only data logged. MDBR does not provide a mechanism for determining which specific machine on a network generated a malicious request. As such, MDBR will not identify specific users as a standalone solution.

• Are only malicious requests or all requests logged?
  • The total number of DNS requests is tracked, however, the details described above are logged only for malicious requests.
• Who has access to the logging information?
  • • Members of the CIS staff with Akamai portal access and Akamai technical staff have access to the reporting features.
• How long are logs kept?
  • Logs are retained in the Akamai platform for 30 days. CIS has access to download data from Akamai.
• Where can I find more information on logged data?
  • Detailed information regarding data privacy at Akamai can be found at https://www.akamai.com/us/en/about/compliance/data-protection-at-akamai.jsp

Real-time log forwarding is not currently available through the MDBR service. At this time, the CIS SOC sends users a weekly report of the malicious blocks that occurred. The report will provide a high-level overview and include information on types of malicious activity associated with the blocked domains, confidence level of the blocks, severity, etc.

Access to the Akamai portal, Akamai Security Connector (virtual machine), and ETP software agent can all be purchased from Akamai. These upgraded offerings from Akamai would allow your organization to identify the true source address of the system making a malicious domain request, versus just your organization’s public IP address, among other more advanced features. For more information, contact the Akamai Sales Team directly here.

For U.S.-based public hospitals or other healthcare organizations associated with a state, local, tribal, or territorial governmental entity, CIS has negotiated discounted pricing for Akamai’s upgraded package offerings through CIS CyberMarket. For more information, please visit their CIS CyberMarket page here.

For instructions on how to set up your organization’s local forwarders, as well as a link for Akamai’s Enterprise Threat Protector Help website for other troubleshooting, you can view the MDBR set up instructions here.

You can use the following URLs to test that your organization’s local forwarders have been configured correctly and Akamai Enterprise Threat Protector is successfully blocking malicious domain requests.

• CnC: akamaietpcnctest.com

• Phishing: akamaietpphishingtest.com

• Malware: akamaietpmalwaretest.com

If your local forwarders are configured properly, you will see the following pre-configured block page:

If your local forwarders are not configured correctly and DNS requests are not being sent to Akamai, you will see the following page:

No, the block page is pre-configured and is not able to be customized by organizations using MDBR.

Please report any false positives you identify to [email protected]. Our SOC will either handle the issue directly, or escalate the issue to Akamai for assistance, if needed.

An internal DNS server is not required. You may configure the DNS settings on each individual machine (DHCP would be the easiest way) or change the DNS settings on your router. If your environment is very small, you may be doing DHCP on your router and could alter both settings on that device. CIS would need to know your organization’s public IP or public CIDR netblock.

Remote users can still utilize the MDBR service. However, since they are not at a “known” location, their requests would not report to a specific organization’s account. When those users make a malicious domain request, the “Unidentified Location” policy would be applied. The user will be protected from malicious content, but the blocked domain lookups will not be correlated to their organization’s account for reporting purposes.

For this situation, your organization would need to set up a dynamic DNS service and then provide that information to [email protected] to set up your account with Akamai.

Your organization would have to discontinue its existing secure DNS service to utilize the MDBR service, as your DNS requests would be directed to Akamai’s primary and secondary IPs instead of the other secure DNS service.

At this time, it is not possible to implement MDBR in monitoring-only mode.