Case Study · Red Teaming Services
Red Team: Primary Objective Achieved Day 9 — First Detection Occurred Day 23
Home → Case Studies → Red Teaming Services → Red Team: Primary Objective Achieved Day 9 — First Detection Occurred Day 23
Engagement Background
The Situation When We Were Engaged
A financial services asset management company managing ₹8,500 crore in client assets commissioned their first full-scope red team engagement — motivated by an industry peer’s 47-day undetected breach that resulted in significant data exfiltration and SEBI regulatory action.
The CISO’s question was direct: ‘If that happened to us, would we know, and how quickly?’ The blue team was not informed of the engagement.
SIRI Law LLP achieved initial foothold via spear phishing on Day 3, Domain Admin on Day 8, and full access to the core portfolio management system on Day 9. The first detection event occurred on Day 23 — 14 days after the primary objective was achieved. The EDR alert was assessed as a false positive and closed without escalation.
The engagement was ended consensually on Day 31 when the blue team correlated three events into a medium-priority incident. The 14-day undetected access window gave the board the empirical evidence they needed to rebuild the detection programme.
Engagement Profile
Attack Scenario & Methodology
How the Assessment Was Conducted
Techniques & Legal Framework
Technical Findings
What We Found
Each finding documented with proof-of-concept. Root cause and remediation guidance provided for every item.
Attack Narrative — Full Timeline
Engagement Timeline
Phase-by-Phase Execution
OSINT Reconnaissance (Days 1–7)
Complete organisational chart, technology stack, vendor relationships, and email patterns all obtained from public sources — no credentials required.
Initial Access (Days 3–9)
Spear phishing → MFA fatigue exploitation → initial foothold. BloodHound AD mapping. Kerberoasting. Domain Admin. PMS access. Full objective achieved.
Persistence & Low-and-Slow (Days 9–23)
Golden Ticket, Silver Ticket, WMI subscription installed. Operating within normal traffic patterns. Day 23: first detection event — assessed as false positive.
Consensual End (Days 23–31)
Continued monitoring of detection attempts. Day 31: blue team correlation. Engagement ended. Full debrief prepared.
Purple Team & Rebuild
SIRI Law LLP re-ran all techniques with full blue team visibility — CrowdStrike rules tuned. MDI + NDR deployed. MTTD from 14+ days to under 30 minutes in post-remediation assessment.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
SIRI Law LLP’s integrated practice means every technical finding is analysed for its legal and regulatory implications — providing a complete risk picture, not just a vulnerability list.
SEBI CSCRF — Detection Capability Non-Compliance
SEBI’s Cybersecurity and Cyber Resilience Framework specifies MTTD targets for registered market intermediaries. Demonstrated MTTD of 14+ days from primary objective to first detection significantly exceeds SEBI requirements. A real breach with this profile would require SEBI notification and trigger inspection.
DPDPA 2023 — Investor Personal Data
Domain Admin access: investor personal data (names, PAN, bank details, portfolio values, KYC documents). 14-day undetected window = 14 days of unreported access. DPDPA Section 8(6) notification obligations not triggerable without detection.
Rules of Engagement — Legal Authorisation Value
The RoE agreement drafted by SIRI Law LLP legal team: (1) IT Act Section 66 authorisation for all engagement activities; (2) insurance notification (testing ≠ breach for claim purposes); (3) SEBI audit evidence of board-level security oversight; (4) liability allocation for unintended consequences.
Remediation Programme
How We Fixed It
✦Detection Programme Rebuild
Microsoft Defender for Identity: Kerberoasting, Pass-the-Hash, Golden/Silver Ticket, DCSync, LDAP enumeration detection.
Darktrace NDR: network-level anomaly detection for LoTL behaviour.
12 new Sentinel analytics rules from red team techniques — each tested against engagement activity logs.
MSSP SLA: medium-priority escalation now 1 hour; alert triage requires context enrichment before false positive closure.
✦Identity Security
Kerberoastable accounts reduced from 11 to 3 — others migrated to gMSA.
Credential hygiene policy: shared credential files prohibited; 3 existing files audited and removed.
MFA number matching: employees must enter displayed code — eliminates MFA fatigue exploitation.
Privileged Access Workstations for CISO, IT team, and finance team leaders.
✦Post-Engagement Persistence Hunt
Golden Ticket/Silver Ticket: krbtgt account reset twice, all ticket TTLs expired.
WMI subscription audit: malicious subscription removed from all endpoints.
Web shell identified and removed from web server.
Finance team workstation reimaged.
Business Outcomes
What the Client Achieved
Board Received Empirical Security Evidence
Red team report presented to investment committee — concrete posture evidence for regulatory and investor reporting purposes.
MTTD: 14+ Days → Under 30 Minutes
Post-remediation purple team: all 8 previously undetected techniques now generating detection events within 30 minutes.
Finance Team Click Rate: 23% → 6%
Targeted spear phishing awareness training using actual engagement techniques — dramatic measurable improvement.
SEBI CSCRF Compliance Achieved
Detection capabilities rebuilt to satisfy SEBI Cybersecurity and Cyber Resilience Framework MTTD requirements.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Qualified advocates — legally privileged investigations
Certified security engineers — OSCP, CISSP, CEPT, CEH
DPDPA + CERT-In compliance integrated into every engagement
24/7 incident response availability
Director GRC & Legal at COE Security — Adv. Chetan Seripally
Related Services
Facing a Similar Security Challenge?
Contact SIRI Law LLP for a confidential scoping call with our legal and technical experts.