Garmin Hack: A CISO’s View on What Happened and How to Protect Your Business

It’s not often that ransomware attacks affect many people you know both in and outside of work. But the recent Garmin hack did just that, reaching national headlines and stopping everyone from park joggers to competition cyclists from uploading, viewing and sharing their workout data. 

Now that Garmin has started the process of recovering from what is now widely understood to be a ransomware attack, it’s worth taking the time to consider how such a large organisation that holds such sensitive data was able to be targeted so successfully by hackers. 

In this blog post our Chief Information Security Officer Paul Rose will explore how the attack was executed, and what lessons your business can learn from Garmin’s unfortunate fate. 

Who Launched the Garmin Hack, and How? 

Cyber security experts believe the Garmin hack used ransomware delivered through the WastedLocker malware package. The package was developed by Evil Corp, a hacking group based in Russia which had sanctions thrust upon it by the US Department of the Treasury last year.  

The NCSC Cyber Security Information Sharing Partnership (CiSP) reporting site indicated Evil Corp gained the access it needed to deliver the malware package through a phishing attack that infiltrated Garmin’s corporate network.  

CiSP intelligence states that the first penetration attempt was an assessment of active defences, effectively probing the target to test controls and map infrastructure. This was followed up with a phishing attack designed to circumvent the active security software and other perimeter protection. 

How Was the Garmin Hack Allowed to Happen? 

If you’re asking yourself how a large organisation like Garmin allowed itself to be hacked, you may be surprised to hear the answer: many large organisations invest a lot of marketing and PR budget into advertising their cyber security efforts without investing enough budget into the cyber security efforts themselves. 

Here are some questions you may have, and my responses to them: 

If Evil Corp gained access through a phishing attack, then does Garmin not provide regular cyber security training? 

Users remain your business’s first line of defence against cyber-attack; you can deploy all the controls you want, but if your users do not adhere to policies and are lax in their approach to cyber security then many of these controls can be bypassed without even being used.  

At Six Degrees we have invested heavily in a quality cyber security learning management system that tracks staff training requirement, targets specific groups, is integrated with other systems, and continually tests users in cyber-attacks including simulated phishing tests. If the phishing tests are successful, the users that ‘took the bait’ receive additional training, are made to re-read and sign for specific policies, and are monitored closely. We also use our internal systems to publish regular intelligence about such attacks and what harm they could bestow Six Degrees as a business. 

Why did Garmin’s production systems suffer outages when the cyber-attack targeted the business’s corporate systems? 

The fact that a cyber-attack on Garmin’s corporate systems resulted in the outage of the production systems suggests that several areas failed. At Six Degrees we have utilised a number of different standards for the services we support. These include NCSC design principles for public sector networks, PCI-DSS standards for private sector customers that process credit cards, and standards such as the NIST Cyber Security Framework for best practice. All of these standards recommend using segmentation or the deployment of air-gapped networks to ensure that data is segregated and networks can function independently. Put simply, this means that bringing down one network does not impede another. 

Additionally, using cloud solutions such as Microsoft 365 could have prevented the attack. At Six Degrees we have used our in–house skillsets to deploy a number of security controls and hardened our Microsoft 365 instance to meet CIS benchmarks, ensuring our estate has defence-in-depth. 

Did Garmin not have offline backups? 

Backups that are segmented or offline would have prevented the damage to Garmin being so severe. They may have been able to restore data that, although several hours old, was free of ransomware. 

Have Garmin’s incident management procedures been lacking? 

Despite Garmin’s systems not working since late-July, the business’s crisis management was short on detail. It is imperative to have a stringent and tested process that demonstrates the actions that need to be followed (including external and internal communications).  

At Six Degrees we utilise the NIST Incident Management guidelines and also run war room exercises to ensure we have the correct processes in place. Reputational damage is a huge part of the harm a ransomware attack can cause a business; robust incident management procedures can help control or reduce this damage. 

Was disaster recovery another area of weakness in Garmin’s response to the hack? 

Given the systems and sites affected in the Garmin hack, it’s evident that the business’s disaster recovery plans may have been another problem area. At Six Degrees we have built business continuity into all mission–critical systems. Our ISO 22301 (Business Continuity Management System) accreditation is key to the success of our detailed business continuity plans. 

Garmin Hack: How to Protect Your Business 

The Garmin hack has caused significant financial, operational and reputational damage to what has to-date been a well-established, highly reputable business. In this blog our CISO Paul Rose has given his thoughts on some of the questions he would ask of Garmin as a business moving forward, and has provided context around how Six Degrees proactively mitigates the risks it faces in today’s hostile digital landscape. 

Six Degrees delivers managed cyber security and consultancy services that will enable your organisation to enhance its cyber security posture and protect itself from cyber-attack. 

The Six Degrees Cyber Clinic delivers free cyber security advice and best practice guidance to help your organisation remain secure during this period of uncertainty. If you would like to contact the Cyber Clinic with your questions or concerns, please get in touch. 

We are publishing regular Cyber Intelligence Reports that provide details of known cyber threats related to coronavirus that have arisen, along with recommended remediation steps. You can download the latest report here.