A quick one can be to put a CSS on a SIP trunk for incoming calls to only allow calls to onnet partitions, so as not to allow offnet>>ofnet calls.
do the same on your VCS trunk if you have it, because VCS;s are even more prone to attacks
Take look here, there is a lot of information:
In addition to the suggestions mentioned by others, make sure that your SIP gateway only allows connections from trusted IPs (generally this would be your CUCM servers, and your ITSP's IPs.
This is done by the following commands:
voice service voip
ip address trusted list
Also make sure that the Calling Search Space that your Unity voice mail ports use don't have access to the PSTN. Doing so prevents an attacker from accessing a user's weak voicemail PIN to access their voicemail box, and then changing their transfer rules to forward all calls do that number to an internatioinal number. Unity *might* need access to the PSTN depending on your setup, but it's rare and usually not needed.