Threat Playbook · Red & Blue · Paired Analysis

Adversary Vectors & Defensive Controls

Surfaced exposures evaluated as adversary opportunities (left) and the defensive controls that close them (right). Vectors and controls are paired where one directly addresses the other. Baseline controls apply across multiple vectors.

Red Vectors

Blue Controls

Paired

Baseline

Red · Adversary Vectors

6 vectors · ranked by severity

R-01 Severe High Confidence

Credential-stuffing / session-replay against dbrasweb.db.com Citrix RAS portal

The portal at dbrasweb.db.com (ent_021) fronts a Pulse Secure SSL VPN with DanaInfo-style Citrix RAS path-rewriting to ua.intranet.db.com (the internal network anchor). Hudson Rock enumerates session captures for: ua.intranet.db.com/Citrix/RASweb (81 sessions), sg-kch5.dbrasweb.db.com (51), sg-dsj5.dbrasweb.db.com (47), sg-kch4.dbrasweb.db.com (36 + 35). An adversary with access to a single stealer log would very likely attempt credential-stuffing first; where session cookies remain valid, direct session-replay would bypass authentication entirely. Even where MFA is enforced, weak factors (SMS, push-bombing) and stealer-captured tokens remain in scope. Highest-impact vector in this report.

R-02 Severe Moderate Confidence

Spear-phishing using named executives + DanaInfo-Citrix lures

Hunter.io surfaces named MDs and AVPs with verified {first}.{last}@db.com emails (Emily Etchberger ent_041, Robert Pettinato ent_042, Hyesi Jun ent_040, plus AVP-level Joshi, Yadav, Adisa, Stockman et al.). The recon base lets an adversary craft very likely high-fidelity lures referencing the exact authentication-portal hostnames (dbrasweb.db.com, login.isso.db.com, identity.db.com). DMARC p=reject blocks direct from-spoofing, but typosquat / cousin domains are not covered by DB DMARC and remain a viable phish channel. Where the phish lands a stealer, the loop closes back to R-01.

R-03 Moderate Moderate Confidence

Salesforce multi-tenant / shared-cert exposure

CertSpotter enumeration reveals 16+ DB Salesforce org IDs and — critically — a shared Salesforce/ExactTarget certificate listing DB subdomains alongside 80+ unrelated brands. The customer-facing scfportal.db.com (ent_024) routes to Salesforce Edge (sledge3-fra.slb.sfdcsvc.net, AS14340, not in DB ASN). Likely mis-scoped Connected App permissions, sharing-rule errors, or session-token reuse across orgs would be exploitable. Recon cannot directly observe permission posture; this vector should be confirmed by an internal Salesforce audit.

R-04 Moderate Moderate Confidence

Third-party-hosted research.db.com via Markit On Demand (AS7334)

research.db.com (ent_031) resolves to Markit On Demand infrastructure (209.234.234.52, AS7334) — S&P Global subsidiary. A compromise at Markit affecting DB content publishing would likely enable trusted distribution of malicious scripts to institutional-investor readers of DB Research. The trust-boundary depends on Markit's tenant segregation, which is not observable via passive recon.

R-05 Severe Low Confidence

CSC registrar portfolio-wide takeover risk

The DB domain estate — db.com (ent_002), autobahnfx.com (ent_026), palaispopulaire.com (ent_028), and effectively all CSC-managed DB domains — sits inside a single CSC Corporate Domains tenancy. Registrar-side locks (clientTransferProhibited, serverDeleteProhibited, serverTransferProhibited, serverUpdateProhibited) are in place, but they only protect against transfer/update requests submitted through the registrar interface; an attacker with valid CSC portal credentials can likely bypass them. This is a low-frequency catastrophic vector that depends on CSC's own security posture.

R-06 Moderate Low Confidence

numis.com legacy-registrar integration drift

numis.com (ent_027) remained on Network Solutions (NS5/NS6.WORLDNIC.COM, DNSSEC false) after the 2023 DB acquisition, a different registrar/DNS-provider posture from the rest of the DB portfolio. Likely a brittle integration seam: legacy Numis email patterns, subdomain takeover risk on unattended legacy infrastructure, or impersonation via the legacy domain. Without knowing whether DB has consolidated monitoring across both registrars, confidence is low.

Blue · Defensive Controls

10 controls · paired and baseline

B-01 Paired

Phishing-resistant MFA + ZTNA-front Citrix RAS portal

Enforce FIDO2/WebAuthn as the only valid second factor on dbrasweb.db.com remote-access entry, eliminating SMS / push-bomb / TOTP-replay vectors. Front the Pulse Secure portal with a ZTNA / SSE broker (e.g., Zscaler Private Access, Cloudflare Access) so unauthenticated probes cannot reach the Pulse login page. Force re-authentication on any session-cookie reuse from a new device fingerprint. Rotate all sessions captured in the Hudson Rock corpus.

B-02 Paired

Cousin-domain monitoring + risk-based conditional access

Run continuous monitoring on typosquat / homoglyph variants of db.com (e.g., deutshebank.com, deutchebank.com, IDN homographs) and pre-emptively register or sinkhole them. Enforce Microsoft 365 / SSO conditional-access policies with risk-based MFA (Sign-in risk: medium+ → phishing-resistant MFA challenge). Pair Proofpoint URL-rewriting with phish-quarantine for any external link referencing DB authentication-portal hostnames sent to DB users.

B-03 Paired

Salesforce multi-tenant audit and Connected-App review

Audit all 16+ DB Salesforce org IDs for: cross-org sharing rules, Connected App permission scope (especially refresh_token + api), Site Guest User profile permissions, and shared SAN cert hygiene. Re-issue any subdomain certs that share SAN listings with unrelated brands. Implement Salesforce Shield event monitoring with anomaly detection across all tenants.

B-04 Paired

Vendor security monitoring for Markit On Demand / S&P Global

Establish a vendor-risk monitoring contract with S&P Global covering Markit On Demand tenant-isolation posture, change-control on research.db.com CNAME / content publishing, and incident-notification SLA. Implement Subresource Integrity (SRI) hashes on any DB-branded scripts served from Markit infrastructure. Consider migrating research.db.com to first-party hosting if Markit's tenant-segregation posture cannot be verified.

B-05 Paired

CSC registrar lock + MFA + portfolio-wide change-monitoring

Confirm Multi-Factor Authentication and IP allow-listing are enforced on the CSC Corporate Domains portal account. Enable CSC's Domain Lock-Plus or equivalent out-of-band change verification (notarized requests). Continuously monitor RDAP for ANY status / NS / DS-record change across the portfolio (db.com, autobahnfx.com, palaispopulaire.com, etc.) and treat any drift as an incident-response trigger.

B-06 Paired

numis.com integration consolidation + DNSSEC

Migrate numis.com from Network Solutions onto the CSC tenancy used by the rest of the DB portfolio (or vice versa) so the entire estate is under a single monitored registrar. Enable DNSSEC on numis.com as part of the migration. Inventory all *.numis.com subdomains and decommission anything not actively used; subscribe each remaining subdomain to subdomain-takeover monitoring.

B-07 Baseline

DNSSEC for db.com

Enable DNSSEC on db.com at the registrar (CSC Corporate Domains) — currently delegationSigned=false. The DB self-hosted NS infrastructure under db-dns.de / db-dns.com would need DNSKEY/DS records published. DNSSEC closes a residual gap in the otherwise-strong DMARC/Proofpoint email-security stack and reduces DNS-spoof risk against db.com email-routing.

B-08 Baseline

Continuous infostealer-corpus monitoring

Subscribe to Hudson Rock Cavalier (or equivalent: Flare, Recorded Future) for continuous monitoring of db.com employee, customer, and third-party sessions appearing in infostealer corpora. Automate forced-password-reset + session-invalidation on any new DB employee session detected. Treat the existing 344-session baseline as remediation-in-progress and track decay over time.

B-09 Baseline

Subdomain inventory + takeover monitoring across the 150+ surfaced subdomains

Recon surfaced 150+ *.db.com subdomains, many marked uat, sit, staging, dev, or test (e.g., test.db.com, testhost.db.com, uat-zpa-readiness.db.com, dbdigitalonboarding.sit.db.com). Run a quarterly inventory: confirm DNS records for each, decommission anything not in active use, and subscribe the remainder to subdomain-takeover monitoring (Detectify, Subscribe-to-Subdomains, etc.).

B-10 Baseline

LEI / corporate-transparency hygiene on offshore SPVs

Re-evaluate the lapsed Deutsche Cayman Ltd. LEI 529900PLMCWKG4WW7813 (entity still ACTIVE in Cayman register). Either renew the LEI (€100–300/year) or formally wind down the entity to remove the reputational/transparency drift signal. The same review should sweep the other 16+ Cayman LEI children for similar lapse patterns.