Malicious Domain Blocking and Reporting (MDBR) FAQ

What is the Malicious Domain Blocking and Reporting (MDBR) Service?

The MDBR service is available at no cost for U.S. State, Local, Tribal, and Territorial (SLTT) government members of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and Akamai. This service provides an additional layer of cybersecurity protection that is proven, effective, and easy to deploy.

MDBR technology prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain.

Who is Akamai?

Akamai is our selected DNS vendor for the MDBR service. Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics and, 24/7/365 monitoring. Visit www.akamai.com for more information.

How does MDBR work?

MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats.

Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses (primary and secondary), every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains such as those associated with malware, phishing, and ransomware, among other threats, will be blocked and logged. Accepted and blocked DNS request logs will be stored for a period of 30 days.

CIS will provide reporting to each participating entity that includes log information for all blocked requests and assist in remediation if needed.

What is Akamai Enterprise Threat Protector (ETP)?

Enterprise Threat Protector (ETP) is Akamai’s carrier-grade recursive DNS service that is integrated into the MDBR service. ETP is built on the global Akamai Intelligent Edge Platform and is a quick-to-configure, easy-to-deploy Secure Web Gateway (SWG) that requires no hardware to be installed and maintained.

ETP has multiple layers of protection that leverage real-time Akamai Cloud Security Intelligence and multiple static and dynamic malware-detection engines to proactively identify and block targeted threats such as malware, ransomware, phishing, and DNS-based data exfiltration. Every requested domain is checked against Akamai’s real-time threat intelligence, and requests to identified malicious domains are automatically blocked.

This intelligence is built on data gathered 24/7 from the Akamai Intelligent Edge Platform, which manages up to 30% of global web traffic and delivers up to 2.2 trillion DNS queries daily. Akamai’s intelligence is enhanced with hundreds of external threat feeds, and the combined data set is continuously analyzed and curated using advanced behavioral analysis techniques, machine learning, and proprietary algorithms. As new threats are identified, they are immediately added to the Enterprise Threat Protector service, delivering real-time protection.

How do I sign up for the MDBR service?

If you are an SLTT government entity and also a member of either the MS-ISAC or EI-ISAC, you can sign up here.

Click here for more information on how to join the MS-ISAC or EI-ISAC

When can I sign up and how long can I leverage the MDBR service?

The MDBR service is available starting on July 6, 2020 and is being offered as a pilot until June 2021.

Does MDBR replace Albert?

No, the two services are not co-dependent and can be run entirely independent of each other. However, when used in conjunction with Albert network monitoring sensors, the two services are very effective in preventing nearly all ransomware attacks from being successful. The MDBR service is easy to implement and requires virtually no maintenance as CIS and Akamai fully maintain the systems required to provide the service.

How much does the MDBR service cost?

The MDBR service offered at no cost for U.S. State, Local, Tribal, and Territorial (SLTT) government members of the Multi-State Information Sharing and Analysis Center® (MS-ISAC®) and Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®).

After I sign up, how do I access information related to my organization’s DNS activity?

CIS will provide reporting to each participating entity that includes log information for all blocked requests and assist in remediation if needed.

Is there anything I should be aware of, prior to signing up for the MDBR service?

In some cases, organizations that have network perimeter security devices, such as firewalls and web proxies, have been found to make outbound DNS requests for malicious domains which do not originate from compromised systems. This occurs due to these devices proactively making DNS requests related to malicious domains on the device’s block list. This activity has the ability to create false positives within the MDBR service.

If your perimeter devices have the capability to proactively update malicious block lists, it is recommended that DNS requests originating from those particular devices be directed to another DNS provider and not be sent to Akamai.

Please reach out to soc@cisecurity.org for more information or if you have any questions.

Does this Akamai's DNS service support eDNS client subnet data (RFC7871) for optimal CDN routing?

Yes, Enterprise Threat Protector supports eDNS client subnet data, per the RFC.

How does MDBR differ from other DNS filtering services, such as Cisco Umbrella or Quad9?

The MDBR service is similar to other services, such as Cisco Umbrella and Quad9, in that they all block malicious outbound DNS requests. The main differences come down to threat intelligence, logging of DNS look ups, reporting, and the ability to log into a customer portal. While Quad9 offers no logging or reporting capability, most other commercial offerings include these capabilities with the paid version of their service. In most cases, vendors also have a no-cost option that does not offer logging or reporting capabilities. In the case of commercial offerings from Cisco, Akamai, and Cloudflare, customers also have the ability to log into a portal to generate reports and administer the service.

With MDBR, the CIS SOC provides both high-level and detailed weekly reporting related to the blocks that have occurred. Although the membership will receive reports from CIS, they will not have the ability to directly log into the Akamai portal or download logs directly from Akamai. These additional features will be available as for-fee options from Akamai through the CIS CyberMarket.

Does MDBR support real-time log integration or log forwarding to a state’s SIEM solution?

Real-time log forwarding is not currently available through the MDBR service. However, CIS plans to explore the ability for members to be able to pull down their logs, via API, on a daily basis. The API log pull is still being researched. At this time, the CIS SOC sends members a weekly report of the malicious blocks that occurred. Members will receive two reports: a PDF and a CSV. The PDF report will provide a high-level overview and include information on types of malicious activity associated with the blocked domains, confidence level of the blocks, severity, etc. The CSV report will include more detailed information related to each specific block that occurred, as well as the timestamp.

How challenging will it be to add MDBR to our environment?

Integrating the MDBR service into your environment is very straightforward and should only take a few minutes to complete. The only requirement to integrate the service is to configure your organization's local forwarders to send DNS inquiries to Akamai’s primary and secondary recursive DNS servers.

How do I get direct access to the Akamai portal and information related to the internal host that made a DNS request?

Access to the Akamai portal, ETP Security Connector (virtual machine), and ETP software agent, can all be purchased as additional for-fee options through the CIS CyberMarket at a special discounted rate. More information on purchasing these options is available here.

Who do I contact if I have further questions?

Please reach out to info@cisecurity.org with any additional questions about the service.

Please reach out to soc@cisecurity.org for technical questions.