Get The Flock Out of My Cloud: Using DuckDB to Detect Spousal Sabotage

Insider threat or...Inside of the house?

Cloud security is a serious business, but what happens when the Advanced Persistent Threat shares your Wi-Fi password?

This presentation dives into the often-overlooked internal adversary: a spouse attempting to find the ultimate CTF flag: the cloud bill. Join us for a live-fire exercise where we attempt to creatively compromise our multi-cloud AWS, Azure, and GCP environment, while demonstrating how to catch this domestic espionage red-handed.

Forget expensive commercial tools - we'll show you how DuckDB, a high-performance analytical engine, lets us write expressive SQL queries against both configuration data and log data to detect suspicious activities and misconfigurations, while funneling critical cloud logs (CloudTrail, Azure Activity Logs, Cloud Audit Logs) into our SIEM.

Through playful attack scenarios that mirror the $1 billion North Korean IT worker infiltration campaign, we'll watch as my GCIH-certified spouse employs the same tactics that have compromised hundreds of Fortune 500 companies. This exercise reveals how legitimate access becomes the ultimate attack vector - whether from a curious spouse or a state-sponsored infiltrator.

The Sabotage: Witness how a trusted insider (who knows all my passwords) exploits legitimate access to:

- Create backdoor credentials with innocent-looking names

- Deploy "helper scripts" that maintain persistent access

- Establish cross-cloud exfiltration pathways disguised as routine data transfers

- Manipulate logging settings to cover their tracks

The Detection: See how powerful DuckDB SQL queries can:

- Identify unusual account creation patterns

- Flag suspicious cross-cloud resource access

- Detect attempts to disable or modify security logging

- Correlate seemingly unrelated activities into a coherent attack pattern

The Fix: Understand practical remediation steps and hardening techniques:

- Implementing effective privilege boundaries (even for spouses!)

- Setting up alerting for suspicious identity activities

- Creating "canary tokens" that reveal unauthorized access

- Establishing secure multi-cloud governance that's difficult to circumvent

Security professionals will leave not only entertained but also equipped with practical, budget-friendly techniques. Learn how to turn your cloud security monitoring into a finely-tuned "spouse-trap" (and protect against actual malicious actors too!) across your entire cloud estate - all while discovering that the most effective security comes from balancing trust with proper boundaries.