1. How could VirusTotal be useful to users? How could it be useful to security researchers? However, could it also be used by attackers to test their own malware before distributing it to ensure that it does not trigger an AV alert? What should be the protections against this?

2. Briefly explain each of the phases. Following are the phases in Incident Handling and Response

1. Preparation
2. Detection
3. Containment
4. Eradication
5. Recovery
6. Follow-up

TASK 2 - Categorize the following example with respect to each phase and why?

Practical example

an eCommerce Site:

Some Client reported the server performance issue. Tech Support found out that the load on site was too high and it was not normal. Web Developer examined the code of the website and identified foreign code on the server. Web Developer than referred this issue to the information security team. Information Security team began collecting data. They further Contacted External Incident Response team.

Incident Response Team examined the server and they recommended for blocking some specific external IP addresses immediately. Then the team examined the server population and collected all the evidence very carefully and provided a written report of the incident. Then the team recommended removal of foreign code from the Web Server. Removing the foreign code from Web Server helped in recovering the system back to its normal performance. The team also recommended policy and procedure changes in order to avoid this incident in future.

Phase	Scenario Description
Preparation
Detection
Containment
Eradication
Recover
Follow-up