• United States



Contributing Writer

Responding to heightened cyberattack risk: Focus on the basics

Mar 09, 20224 mins
Network Security

The Russia-Ukraine crisis has raised alarms about heightened risk of cyberattacks. Don't panic, but do make sure you're on top of these fundamental security best practices.

network security / network traffic scanning connected devices
Credit: HYWARDS / Getty Images

A SANS Institute webcast about Russian cyberattack escalations in Ukraine presented a couple of takeaways. The first: Don’t panic. Too often with security issues we think the worse; we may overreact and make the situation worse. Instead, focus on the basics. The second is that we need to pay more attention to network traffic.

Take care of security basics first

When reviewing your network for potential cyber threats, don’t make things worse by making misconfigurations that will create more problems. Spend time on the basics and on other projects that you probably should have worked on earlier.

Documentation and planning are what you need to be doing now, not making changes and configuration adjustments. Slow down and review plans rather than make dramatic changes. Configuration changes often introduce side effects that make you think an attack is underway from external sources. A website is offline. Immediately we think of a cyberattack, but the root cause is often Domain Name Service (DNS) misconfigurations or core infrastructure issues.

Take the time to review and consider targeted entry points. Learn the lessons from the Maersk ransomware attacks that started from the Ukraine. Review what business-to-business entry points come from weak links. Review all virtual private network (VPN) connections to your network and where they come from. Remember, their security impacts your security. Add two-factor authentication to these connections where appropriate and consider if you need to make temporary adjustments in who connects to your network during this time.

I usually recommend holding off on patching until we know of any side-effects, but depending on your risk level you may want to test for updates on an accelerated basis and deploy sooner than normal. I also recommend reviewing the commonly attacked vulnerabilities and ensure that you have patched your network for them.

Last, but certainly not least, don’t become a source of funding for attackers. Ensure that you can recover from a ransomware attack and do not pay ransom to attackers. Having an offline backup should be a priority to ensure that you can recover in any situation.

Monitor network traffic for anomalies

SANS recommended that you review what resources you have in place to monitor network traffic to see who might be inside your network. Specifically, review NetFlow, a commonly used network protocol created by Cisco that collects active IP network traffic as it flows in or out of an interface. It tracks point of origin, destination, volume and paths on the network.

First look to your edge devices, your firewalls and other devices that control the network traffic flow in and out of your network. Even a small firm’s firewall can probably support this level of investigation. Start by pulling out your firewall manual and review if you can enable logging of NetFlow traffic. It’s not enough to enable it; you need to log it so that you can go back and investigate malicious traffic after the fact.

NetFlow isn’t just about malicious traffic. It’s also a means to reduce bottlenecks and optimize bandwidth utilization. NetFlow traffic can’t be used for just a single session; it provides more information when it’s accumulated. Enabling NetFlow analysis and storing it so that you can later review for patterns is key. Use resources such Splunk to store and to further analyze the information that you receive from your network. You can also use cloud storage such as Azure Sentinel to store and review NetFlow information.

Other options for monitoring network traffic

Other platforms perform similar functions and might provide as much or more information than NetFlow. For those of you with a Microsoft 365 E5 license or a Microsoft Defender for Business (currently in public preview), the Advanced Threat Protection console provides similar information regarding the interaction of events on your workstations and servers.

Layering on Defender for Cloud Applications can also track the flows through SaaS and other cloud platforms. Defender for Endpoint can allow you to review source IP, destination IP, and the source port and destination port. It also exposes the process information as well as web URL involved in the interaction. Put resources in understanding what is your normal network traffic and the external IP addresses that you need to trust to do business.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author