Cyber Security training from QA

Sometimes an attack might be right in front of your eyes!

QA Cyber Training Delivery Manager, Mark Amory, discusses a new exploit in X.509 certificates that allows malicious code to be inserted into a network.

Mark Amory | 14 March 2018

Attackers have for many years tried to find ways to get malicious code inside a victim’s network; Some new research by fidelis security has uncovered another, novel way to achieve those aims which your security systems might not pick up. The original research in pdf format can be found at the following link (

The attack exploits the fact that X.509 certificates have a number of fields which can contain arbitrary values. In their research, Fidelis proved that data can be transferred within the SubjectKeyIdentifier field of the X.509 certificate and is not limited to any size constraints other than the extents of device memory.

The SubjectKeyIdentifier field is supposed to hold a hash value that identifies the public key being certified. This value enables distinct keys used by the same subject to be differentiated.

In an attack using this approach this field can be used to pass through any form of data, including executable code.

In many cases, the SubjectKeyIdentifier value is not validated by either firewalls or IDS as they typically are set to look for data being transmitted in a protocol payload such as a TCP, UDP or SMTP packet.

In the case of the X.509 certificate the code is passed as a part of the handshake process, and as such no data payload is being transmitted.

Fidelis produced a proof of concept attack and included a Mimikatz payload in the X.509 certificate and transferred it to an already compromised device via the TLS negotiation phase.

There are ways to check to see if a certificate is being used in these ways. For example, the common hashes used in the SubjectKeyIdentifier field are MD5, SHA-1, SHA-256, SHA-384, or SHA-512. As such, if SHA-512 is used that would create the longest hash value at 128 characters long. Rules can be established (normally with the use of a Regex query) to look for values in this filed which are longer than 128 characters and flag them if they are.

But how many of you reading this have such rules?

How many of you reading this even contemplated someone using X.509 to attack your organisation?

How many of you are about to go check and update your firewall rules?


Cyber Security training from QA

At QA we offer a wealth of courses covering all aspects of security, in this case we would recommend our Network Security Foundation course, or our PKI & TLS Security Implementation course.

We have uniquely positioned ourselves to help solve the Cyber skills gap, from our CyberFirst and Cyber Apprenticeship programmes and Cyber Academies to Cyber Challenges, Training and Certifications and Consultancy for Cyber Security.

They offer end-to-end Cyber training and certifications from Cyber Awareness to deep dive Cyber Programmes and solutions; from Cyber Investigations, Cyber Crisis Management, Proactive Security to Offensive Defence. QA only employ world-leading Cyber trainers who have the expertise to deliver bespoke Cyber solutions, GCHQ accredited courses and proudly the CyberFirst programme. This is all to support tackling the UK's National Cyber Security skills shortage.

QA also have state-of-the-art CyberLabs, where companies can simulate real-life Cyber-attacks on their infrastructure, helping them to prevent & combat breaches without risking their own network.

Take a look at QA's CyberLabs

Visit for more information on how they can help solve the Cyber Security skills gap.



Mark Amory

Cyber Training Delivery Manager

After leaving a career as a Mechanical and Electrical Engineer in 1998, Mark started out with a fresh career as an IT trainer. Spending the first few years as an applications trainer, Mark excelled in delivering Microsoft Office and Adobe products. In-line with his background as an Engineer, Mark soon shifted focus to more technical deliveries, including hardware and networking topics; a field he has remained in ever since. As a natural progression of his career saw Mark start to explore the security aspect of his existing competencies and since 2005 has specialised in the Cyber Security domain. Mark has been the author of a number of QA Cyber Security courses and was the design authority and author of the 2017 NCSC Cyber First Academy. Mark is a C|EH and is currently undergoing the process of becoming an NCSC Certified Cyber Professional.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.