The Russia-Ukraine crisis has raised alarms about heightened risk of cyberattacks. Don't panic, but do make sure you're on top of these fundamental security best practices. Credit: HYWARDS / Getty Images A SANS Institute webcast about Russian cyberattack escalations in Ukraine presented a couple of takeaways. The first: Don’t panic. Too often with security issues we think the worse; we may overreact and make the situation worse. Instead, focus on the basics. The second is that we need to pay more attention to network traffic.Take care of security basics firstWhen reviewing your network for potential cyber threats, don’t make things worse by making misconfigurations that will create more problems. Spend time on the basics and on other projects that you probably should have worked on earlier.Documentation and planning are what you need to be doing now, not making changes and configuration adjustments. Slow down and review plans rather than make dramatic changes. Configuration changes often introduce side effects that make you think an attack is underway from external sources. A website is offline. Immediately we think of a cyberattack, but the root cause is often Domain Name Service (DNS) misconfigurations or core infrastructure issues. Take the time to review and consider targeted entry points. Learn the lessons from the Maersk ransomware attacks that started from the Ukraine. Review what business-to-business entry points come from weak links. Review all virtual private network (VPN) connections to your network and where they come from. Remember, their security impacts your security. Add two-factor authentication to these connections where appropriate and consider if you need to make temporary adjustments in who connects to your network during this time. I usually recommend holding off on patching until we know of any side-effects, but depending on your risk level you may want to test for updates on an accelerated basis and deploy sooner than normal. I also recommend reviewing the commonly attacked vulnerabilities and ensure that you have patched your network for them.Last, but certainly not least, don’t become a source of funding for attackers. Ensure that you can recover from a ransomware attack and do not pay ransom to attackers. Having an offline backup should be a priority to ensure that you can recover in any situation. Monitor network traffic for anomaliesSANS recommended that you review what resources you have in place to monitor network traffic to see who might be inside your network. Specifically, review NetFlow, a commonly used network protocol created by Cisco that collects active IP network traffic as it flows in or out of an interface. It tracks point of origin, destination, volume and paths on the network.First look to your edge devices, your firewalls and other devices that control the network traffic flow in and out of your network. Even a small firm’s firewall can probably support this level of investigation. Start by pulling out your firewall manual and review if you can enable logging of NetFlow traffic. It’s not enough to enable it; you need to log it so that you can go back and investigate malicious traffic after the fact.NetFlow isn’t just about malicious traffic. It’s also a means to reduce bottlenecks and optimize bandwidth utilization. NetFlow traffic can’t be used for just a single session; it provides more information when it’s accumulated. Enabling NetFlow analysis and storing it so that you can later review for patterns is key. Use resources such Splunk to store and to further analyze the information that you receive from your network. You can also use cloud storage such as Azure Sentinel to store and review NetFlow information.Other options for monitoring network trafficOther platforms perform similar functions and might provide as much or more information than NetFlow. For those of you with a Microsoft 365 E5 license or a Microsoft Defender for Business (currently in public preview), the Advanced Threat Protection console provides similar information regarding the interaction of events on your workstations and servers.Layering on Defender for Cloud Applications can also track the flows through SaaS and other cloud platforms. Defender for Endpoint can allow you to review source IP, destination IP, and the source port and destination port. It also exposes the process information as well as web URL involved in the interaction. Put resources in understanding what is your normal network traffic and the external IP addresses that you need to trust to do business. Related content news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe