Get The Flock Out of My Cloud: Using DuckDB to Detect Spousal Sabotage

Talk Overview

What happens when the insider threat shares your Wi-Fi password? In this unique and entertaining presentation, Jared and Liz Gore turn cloud security education into a playful CTF-style demonstration. Through the lens of “spousal sabotage,” they reveal how sophisticated attackers—from North Korean IT workers to malicious insiders—compromise cloud infrastructure, and more importantly, how to catch them using open-source tools.

The Scenario

Liz, a GCIH-certified security professional, plays the role of a sophisticated insider threat using the same tactics employed by real-world attackers. The demonstration walks through realistic attack scenarios including:

• Backdoor Credential Creation: Establishing persistent access through IAM users and roles
• Resource Access Manipulation: Modifying permissions to access sensitive data
• Logging Manipulation: Attempting to cover tracks by disabling or tampering with audit logs
• Lateral Movement: Moving across cloud accounts and services to expand access

Detection with DuckDB

The defensive side of the presentation showcases how to use DuckDB’s powerful analytical capabilities to detect these sophisticated attacks through expressive SQL queries against cloud logs and configurations. Attendees learn practical techniques for:

• Analyzing CloudTrail logs to identify suspicious API calls
• Querying IAM configurations to detect backdoor credentials
• Correlating activity patterns across multiple cloud services
• Building automated detection queries that run locally without expensive SIEM platforms

Key Takeaways

This talk demonstrates that effective security isn’t about unlimited budgets or enterprise-grade tools—it’s about understanding attacker techniques and having the right analytical approach. Security professionals learn:

• Budget-friendly techniques for insider threat detection
• How to think like an attacker to build better defenses
• Practical SQL queries for cloud security monitoring
• The importance of balancing trust with proper security boundaries

Why This Matters

Insider threats are among the most difficult security challenges to detect, whether they come from malicious employees, compromised contractors, or—as humorously demonstrated—overly curious spouses. By showing real attack techniques alongside practical detection methods, this talk provides security teams with actionable skills they can implement immediately, regardless of their tool budget.

The presentation style makes complex security concepts accessible and memorable while delivering serious value for cloud security practitioners at any experience level.