Applying the MITRE ATT&CK Framework to Dead Box Forensics by Mary Ellen Kennel

A lot has been shared about the MITRE ATT&CK framework and how it can be leveraged as a powerful hunting resource and a threat modeling foundation. In this presentation, Mary Ellen will cover a different way of using MITRE ATT&CK – during a forensic investigation.

This talk will walk the audience through a complete investigation plan, A-Z, built from the MITRE ATT&CK framework. Unlike a lot of MITRE ATT&CK implications, the contents will be less about proactive threat hunting, and more as an aid to a forensic investigation. We’ll begin with an example incident that was just dropped on your desk, and all you have is an ip address. Your company had a visit from a three-letter agency, and you’ve now found out through a third party, that your org was popped; it doesn’t get much worse than that. The “suits” leave, and all you’ve got is an ip address and strict orders to piece together what happened. The order of events will be based loosely off of a paper Mary Ellen published in 2016 entitled, “IR A-Z“.