Malicious Domain Blocking and Reporting (MDBR) FAQ

Overview

What is the Malicious Domain Blocking and Reporting (MDBR) Service?

The MDBR service is available at no cost for U.S. State, Local, Tribal, and Territorial (SLTT) government members of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and Akamai. This service provides an additional layer of cybersecurity protection that is proven, effective, and easy to deploy.

MDBR technology prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain.

Who is Akamai?

Akamai is our selected DNS vendor for the MDBR service. Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics and, 24/7/365 monitoring. Visit www.akamai.com for more information.

How does MDBR work?

MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats.

Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses (primary and secondary), every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains such as those associated with malware, phishing, and ransomware, among other threats, will be blocked and logged. Accepted and blocked DNS request logs will be stored for a period of 30 days.

CIS will provide reporting to each participating entity that includes log information for all blocked requests and assist in remediation if needed.

What is Akamai Enterprise Threat Protector (ETP)?

Enterprise Threat Protector (ETP) is Akamai’s carrier-grade recursive DNS service that is integrated into the MDBR service. ETP is built on the global Akamai Intelligent Edge Platform and is a quick-to-configure, easy-to-deploy Secure Web Gateway (SWG) that requires no hardware to be installed and maintained.

ETP has multiple layers of protection that leverage real-time Akamai Cloud Security Intelligence and multiple static and dynamic malware-detection engines to proactively identify and block targeted threats such as malware, ransomware, phishing, and DNS-based data exfiltration. Every requested domain is checked against Akamai’s real-time threat intelligence, and requests to identified malicious domains are automatically blocked.

This intelligence is built on data gathered 24/7 from the Akamai Intelligent Edge Platform, which manages up to 30% of global web traffic and delivers up to 2.2 trillion DNS queries daily. Akamai’s intelligence is enhanced with hundreds of external threat feeds, and the combined data set is continuously analyzed and curated using advanced behavioral analysis techniques, machine learning, and proprietary algorithms. As new threats are identified, they are immediately added to the Enterprise Threat Protector service, delivering real-time protection.

How much does the MDBR service cost?

The MDBR service offered at no cost for U.S. State, Local, Tribal, and Territorial (SLTT) government members of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®).

Does MDBR replace Albert?

No, the two services are not co-dependent and can be run entirely independent of each other. However, when used in conjunction with Albert network monitoring sensors, the two services are very effective in preventing ransomware and other malicious attacks from being successful. The MDBR service is easy to implement and requires virtually no maintenance as CIS and Akamai fully maintain the systems required to provide the service.

How does MDBR differ from other DNS filtering services, such as Cisco Umbrella or Quad9?

The MDBR service is similar to other services, such as Cisco Umbrella and Quad9, in that they all block malicious outbound DNS requests. The main differences come down to threat intelligence, logging of DNS look ups, reporting, and the ability to log into a customer portal. While Quad9 offers no logging or reporting capability, most other commercial offerings include these capabilities with the paid version of their service. In most cases, vendors also have a no-cost option that does not offer logging or reporting capabilities. In the case of commercial offerings from Cisco, Akamai, and Cloudflare, customers also have the ability to log into a portal to generate reports and administer the service.

With MDBR, the CIS SOC provides both high-level and detailed weekly reporting related to the blocks that have occurred. Although the membership will receive reports from CIS, they will not have the ability to directly log into the Akamai portal or download logs directly from Akamai. These additional features will be available as for-fee options from Akamai through the CIS CyberMarket.

What threat intelligence feeds are used by Akamai and how do they compare to other service providers?

The majority of the threat data in Akamai’s Cloud Security Intelligence comes from data collected on the Akamai platform. Akamai delivers and protects around a third of global web traffic, and resolves 2/3 of the world's DNS queries daily. This gives Akamai an unprecedented view of the threat landscape. They augment their data with a few third-party threat intelligence feeds and public information, such as WHOIS and domain registration details. All of this data is analyzed using proprietary algorithms that can quickly identify malicious domains contained in this large volume of data. Additionally, the Akamai threat research team further analyzes the data sets, as there are certain types of threats that an automated machine learning process will not easily detect.

How challenging will it be to add MDBR to our environment?

Integrating the MDBR service into your environment is very straightforward and should only take a few minutes to complete. The only requirement to integrate the service is to configure your organization's local forwarders to send DNS inquiries to Akamai’s primary and secondary recursive DNS servers.

Who do I contact for changes to my MDBR account?

For any post-approval changes to your MDBR account, please submit your changes to the following email address:

Who do I contact if I have further questions?

Please reach out to info@cisecurity.org with any additional questions about the service.

Please reach out to soc@cisecurity.org for technical questions.

Registration

How do I sign up for the MDBR service?

If you are an SLTT government entity and also a member of either the MS-ISAC or EI-ISAC, you can sign up here.

Click here for more information on how to join the MS-ISAC or EI-ISAC.

When can I sign up and how long can I leverage the MDBR service?

The MDBR service is available starting on July 6, 2020 and is being offered as a pilot until June 2021.

Once I receive the registration email, how many hours is the link in the email valid for before it expires?

The link to complete your registration process will expire in 24 hours. If your onboarding form is not completed before this time period expires, you will have to restart the registration process.

Once our organization's primary contact receives the enrollment approval email, how many hours is the link in the email valid for before it expires?

The link for your organization's primary contact to review and approve your registration will expire in 72 hours. If your onboarding form and the MDBR Terms and Conditions are not approved before this time period expires, you will have to restart the registration process.

Are the MDBR Terms and Conditions available to be reviewed by our legal department prior to accepting them?

The Terms and Conditions for our MDBR service are available at https://www.cisecurity.org/terms-and-conditions-table-of-contents/mdbr-terms/

While completing the MDBR onboarding form, I received an error stating "Parameter IPs of value 'x.x.x.x' violated a constraint. Invalid IP or CIDR notation." What does this mean?

This error means that the IP or CIDR information provided is likely not in the proper format. Please confirm that the IP or CIDR block is properly formatted and resubmit the form.

After I sign up, how do I access information related to my organization’s DNS activity?

CIS will provide reporting to each participating entity that includes log information for all blocked requests and assist in remediation if needed.

Is there anything I should be aware of, prior to signing up for the MDBR service?

In some cases, organizations that have network perimeter security devices, such as firewalls and web proxies, have been found to make outbound DNS requests for malicious domains which do not originate from compromised systems. This occurs due to these devices proactively making DNS requests related to malicious domains on the device’s block list. This activity has the ability to create false positives within the MDBR service.

If your perimeter devices have the capability to proactively update malicious block lists, it is recommended that DNS requests originating from those particular devices be directed to another DNS provider and not be sent to Akamai.

Please reach out to soc@cisecurity.org for more information or if you have any questions.

Technical Support

Does MDBR support DNS over HTTPS (DoH)?

DoH is not currently supported by Akamai, but it is something they plan to support in the future. We will keep the membership updated with new information on DoH support, as we receive it.

Can you provide more details on the information that is logged by MDBR?

The timestamp for the DNS request, the location it comes from (including the NAT IP address of the internet connection), the category and classification of the event, and the domain requested is the only data logged. MDBR does not provide a mechanism for determining which specific machine on a network generated a malicious request. As such, MDBR will not identify specific users as a standalone solution.

  • Are only malicious requests or all requests logged?
    • The total number of DNS requests is tracked, however, the details described above are logged only for malicious requests.
  • Who has access to the logging information?
    • Members of the CIS staff with Akamai portal access and Akamai technical staff have access to the reporting features.
  • How long are logs kept?
    • Logs are retained in the Akamai platform for 30 days. CIS has access to download data from Akamai.
  • Where can I find more information on logged data?

Does MDBR support real-time log integration or log forwarding to a state’s SIEM solution?

Real-time log forwarding is not currently available through the MDBR service. However, CIS plans to explore the ability for members to be able to pull down their logs, via API, on a daily basis. The API log pull is still being researched. At this time, the CIS SOC sends members a weekly report of the malicious blocks that occurred. Members will receive two reports: a PDF and a CSV. The PDF report will provide a high-level overview and include information on types of malicious activity associated with the blocked domains, confidence level of the blocks, severity, etc. The CSV report will include more detailed information related to each specific block that occurred, as well as the timestamp.

How do I get direct access to the Akamai portal and information related to the internal host that made a DNS request?

Access to the Akamai portal, ETP Security Connector (virtual machine), and ETP software agent, can all be purchased as additional for-fee options through the CIS CyberMarket at a special discounted rate. More information on purchasing these options is available here.

How do I configure my organization's local forwarders to send DNS inquiries to Akamai?

For instructions on how to set up your organization's local forwarders, as well as a link for Akamai’s Enterprise Threat Protector Help website for other troubleshooting, you can view the MDBR set up instructions here.

Is there a way to test that our local forwarders were successfully changed to send DNS inquiries to Akamai?

You can use the following URLs to test that your organization's local forwarders have been configured correctly and Akamai Enterprise Threat Protector is successfully blocking malicious domain requests

If your local forwarders are configured properly, you will see the following pre-configured block page:

If your local forwarders are not configured correctly and DNS requests are not being sent to Akamai, you will see the following page:

Is the page that appears when malicious domain requests are blocked customizable?

No, the block page is pre-configured and is not able to be customized by organizations using MDBR.

My organization does not have an internal DNS server. Is an internal DNS server required to sign up for MDBR, or can we manually point each workstation towards the Akamai DNS servers directly?

An internal DNS server is not required. You may configure the DNS settings on each individual machine (DHCP would be the easiest way) or change the DNS settings on your router. If your environment is very small, you may be doing DHCP on your router and could alter both settings on that device. CIS would need to know your organization’s public IP or public CIDR netblock.

Many of our employees work remotely. Assuming no VPN is present, would this disqualify them from utilizing the MDBR service, as they would not have an internal DNS server?

Remote users can still utilize the MDBR service. However, since they are not at a “known” location, their requests would not report to a specific member organization's account. When those users make a malicious domain request, the “Unidentified Location” policy would be applied. The user will be protected from malicious content, but the blocked domain lookups will not be correlated to their member organization's account for reporting purposes.

My organization does not have a static IP address, which is required for accurate reporting. Would my organization be disqualified from the MDBR service, or would we have to update our account every time our IP address changes?

For this situation, your organization would need to set up a dynamic DNS service and then provide that information to soc@cisecurity.org to set up your account with Akamai.

My organization has an existing security gateway (DNS filter) solution in place. Is it possible to have both MDBR and another secure DNS solution in place at the same time?

Your organization would have to discontinue its existing secure DNS service to utilize the MDBR service, as your DNS requests would be directed to Akamai’s primary and secondary IPs instead of the other secure DNS service.

Is it possible to implement the MDBR service in monitoring-only mode to determine if there are any issues, before allowing it the ability to block domain requests?

At this time, it is not possible to implement MDBR in monitoring-only mode.