Corvus
RED × BLUE

Threat Playbook

Adversary vectors paired with the defensive controls that close them. Read top-to-bottom — engagements are sorted by severity. Baseline controls below apply across the surface.

3
Severe
3
Moderate
1
Low
3
Baseline

Severe · Act Now

3 engagements

Moderate · Plan Mitigation

3 engagements

Low · Monitor

1 engagement

Baseline · Surface-Wide

3 controls
B-08 Baseline

Enforce DMARC p=reject across every .db.com subdomain

Extend the @db.com p=reject policy to every subdomain that issues outbound mail (incl. invoicing, M365 sub-tenants, marketing automation). Audit any subdomain currently in p=quarantine or p=none and migrate to p=reject within 90 days. Already-in-place for the apex per ev_005 — extend to the full tree.

B-09 Baseline

Continuous secret-scanning + commit-hygiene across DB GitHub and internal repos

Adopt pre-commit secret scanning (gitleaks, truffleHog) across all DB-administered repositories; integrate alerts into the SOC pipeline; rotate any credential surfaced in scan, paste-site, or external aggregator output (HudsonRock, XposedOrNot, hudsonrock_email) within 24h of detection.

B-10 Baseline

Sanctions-controls compliance dashboard with cross-jurisdiction view (UK OFSI + EU + US OFAC + DE BaFin)

Maintain a single compliance dashboard reconciling sanctions designations across UK OFSI, EU consolidated list, US OFAC, and DE BaFin enforcement actions, with automated reconciliation against transaction monitoring rules. Build in evidence-of-tuning provenance so that any future post-incident review (e.g., a successor to ent_153) can demonstrate forward-looking calibration rather than reactive only.