Data Mining Resumes for Computer Attack Reconnaissance

It’s hard to avoid leaking potentially sensitive information about the employer in one’s resume. Explaining your experience and skill-set in the world of IT usually involves naming the technologies with which you worked. This information can help computer attackers profile their targets, revealing details about the security measures they may need to bypass.

Looking at resume contents can be a useful step as part of reconnaissance activities, in which computer attackers and penetration testers alike engage in the initial phase of the attack. One way to accomplish this involves looking at targets’ LinkedIn profiles, as I wrote earlier when discussing competitive intelligence gathering practices via LinkedIn.

Attackers can also search job search sites, which index job-seekers’ resumes. One way to do this is to register with such sites as a potential employer, which often involves paying for the ability to search resumes. As we saw in a data breach that occurred at Monster in 2009, computer intruders sometimes pursue the database of resumes directly with the expectation of mining its contents for various nefarious purposes.

Perhaps the easiest way to mine resumes for computer attack reconnaissance is provided by the Indeed resume site, which allows anyone to search resume contents for free and without the need to register. Attackers can locate potential victims by searching for the mention of a technology that might have an exploitable vulnerability in it. In the context of targeted attacks or penetration tests, attackers would probably search for all resumes that mention the desired company’s name.

Consider some of the excerpts attackers might locate in resumes:

  • "Managed the implementation of File Integrity Monitoring via Bladelogic 7.6 on all external web-facing applications"
  • "Supported systems integration of BEA WebLogic Portal 9.1 with CA Siteminder 6.x for forms-based and CAC authentication."
  • "Veritas Backup Exec, Active Directory, Remedy Ticket Management, Norton Anti-Virus, McAfee Anti-Virus, QIP, Hyena, Compaq Smart Start, Compaq Insight Manager, Cisco Works, SharePoint, DameWare Remote Desktop, Citrix"
  • "SourceFire IDS, Nessus, Lots Notes, Wind Rivers Vxworks, Redhat Linux"

By themselves, these tidbits of information might not be significant, but they might contribute to planning and executing other aspects of the attack.

A few suggestions for organizations concerned about resumes being used to inadvertently leak data:

  • Design security with the expectation that at least high-level details about the technologies and processes you employ will be known to potential attackers.
  • Educate your employees regarding the type of information they may or may not reveal when describing their professional duties outside of the company.
  • Periodically search the web in general, LinkedIn and resume sites such as Indeed for sensitive information that may have been exposed about your organization.
  • Consider employing specially-crafted “honeypot” resumes with fake information that might deceive attackers and give you a defensive advantage.

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more