A Checklist for Developing Defenses

Remove your global allow firewall rule that permits any established connections to flow.

Learn your network using network flow analysis tools such as argus. Use what you learn to create specific "allows" for established TCP connections and UDP. Once comfortable, remove the "permit any any tcp established" and UDP-oriented catch-all rules to limit an attacker's options once he has infiltrated. This will come with the ancillary benefit of requiring your users to utilize only specific services you provide for them instead of allowing them to connect to any and all services directly across the Internet.

Follow best practices for gateway filtering of internal IP addresses.

Filter private addresses from leaving your network border in order to avoid unintended information disclosure.

Don't use externally reachable gateway devices to connect internal network segments.

Audit your internal network in search of routers or firewalls that serve dual roles as both a connection between internal network segments and a gateway to the public network. Physically segregate such roles onto disparate gateway devices.

Consider running a defaultless network.

If you receive a complete routing table from your upstream ISP, consider pointing your default route to an analysis segment and/or darknet instead of to your ISP. Theoretically, all Internet traffic will still be sent to your ISP and all other traffic will be kept internally. Packets destined for networks you don't utilize internally will wind up in your darknet for analysis.