• United States



Contributing Writer

Best advice for responding to today’s biggest cyber threats

Apr 06, 20224 mins
Network SecurityThreat and Vulnerability ManagementWindows Security

Scary new threats don't necessarily require big changes to your security infrastructure. These simple actions can be more effective and less disruptive.

Computerworld - Scary Tech [Slide-05] - Encryption systems with backdoors
Credit: IDG / Thinkstock

If you are like me, you follow world events and news such as Okta being breached by a group of teenagers to see if you need to change your defenses. This may not be a time to roll out new technologies or major changes to your network, as this will introduce other types of risk. Instead, consider taking these steps in response to current events.

Block traffic selectively

Blocking traffic from Russia and Belarus may help you limit noise from your log files, and if you run a customer-facing website, from trolls and spam comments, but blocking their location will not slow a dedicated attacker. They will merely hop on another VPN and come in from another location. If you do want to reduce traffic, review your business needs and limit to those countries and locations that you do business with.

Review how you use multi-factor authentication

The Okta breach made some of us rethink how multi-factor authentication (MFA) is implemented. We tend to roll out push-style MFA to make it easy on the users, but often this lures users into approving prompts without thinking about what is happening. Consider the risks of the users and for what they use MFA.

Microsoft is urging folks to move away from prompt-based two-factor authentication to matching an item. Already rolled out to their consumer-based Microsoft account MFA, the company is now using a prompt of a number to match.

Keep communications on threats relevant to users and leadership

Sending too much communication to staff and management about what should or should not be done is just noise. The sky is not falling, and that noise will only encourage people to tune out the important messages. Send communications only when it is relevant to your firm and can be actionable to your end users.

You still need to keep senior leadership informed about what is going on and perhaps what you are seeing in your log files. Use fact sheets on news items and security events, and prepare briefs to show where you have taken action, where you are researching actions to take, and what resources you might need to maintain or complete a goal.

Find appropriate information and technical resources

Find resources regarding how attacks occurred and determine if your firm has the necessary resources to protect itself. For example, recent events in Ukraine used ransomware and disk wiping software to do the most damage. Do you have the resources to restore or redeploy systems? Do you have resources to withstand DoS attacks?

Ensure that someone on your staff watches social media sites for information on attacks and methodologies. Twitter often has insight and information into events. Even if you don’t tweet, you can set up an account watch what others say. Start with a recommended list of tweeters, and then look at who they follow and add them to your list. The SANS Internet Storm Center is also another excellent resource for information about incidents and events.

If you have a Microsoft’s 365 E5 license, you can review threats on the Threat Analytics website. The console provides actionable information regarding the attacks Microsoft is investigating. You can drill down in the console to review recommendations for mitigation and prevention.

e5license Susan Bradley

Threat Analytics console

You will often see recommended Attack Surface Reduction (ASR) rules to block and protect machines. You can often enable ASR rules without any major side effects, but it’s recommended to roll these rules after testing. I highly recommend that you start an analysis of the impact of such rules in your network.

threatanalytics Susan Bradley

Threat Analytics recommended Attack Surface Reduction rules

To stay up to date on global threats, pay attention to government advisories. In particular, review two documents that were released as a result of potential Russian cyber activity: the White House’s Fact Sheet: Act Now to Protect Against Potential Cyberattacks and the Cybersecurity & Infrastructure Security Agency’s (CISA’s) Shields Up advisories. If you are part of a government network or critical infrastructure, the Information Sharing and Analysis Center (ISAC) for your industry will also have relevant information on recent threats.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author