[tptacek]

No, that's not common. The damages imputed to attackers arise directly from what they did. The problem is that people ignore a whole class of damages in these cases: the DFIR work that is required to ensure that whoever attacked you didn't also persist themselves somehow.

[kybernetikos]

The problem is that that work seems essentially unlimited (you can invent crazier and crazier possibilities that you need to check for), and doesn't seem to be something that we do so much for physical intrusions which nevertheless have the same features (you can find keys, take copies of keys, even change locks or cut make false walls / doors).

Your infrastructure should aim to be robust against people persisting themselves (in this case, something that allows an employee to persist themselves beyond the validity of their credentials is a serious problem whether the hacker does it or not). Where it is not, that's your failing. Charging the hacker for finding out where your infrastructure is failing is perverse since if anything their attack made it easier to spot a failing. If they did persist themeselves, then obviously the cost to fix that belongs on the hacker, but the cost to identify such things is something you should be doing anyway.

[tptacek]

The costs imputed to Keys in this case were under $20,000. There is absolutely no way the Tribune Corporation got a real, industry standard forensics investigation done for that sum of money.

I don't understand how you could impute the cost of auditing infrastructure for backdoors that could have been planted in a breach to the victim of the breach, rather than to the person convicted of causing the breach. We're not talking about having each of Trib Corp's applications assessed (the cost of that would be in the many hundreds of thousands of dollars, minimum).