The volume, variety, and velocity of change in vulnerabilities and exploits have made incident threat analysis challenging with human expertise and experience along. The MITRE AT&CK framework employs Tactics, Techniques, and Procedures (TTPs) to describe how and why attackers exploit vulnerabilities. However, a TTP description written by one security professional can be interpreted very differently by another, leading to confusion in cybersecurity operations or even business, policy, and legal decisions. Meanwhile, advancements in AI have led to the increasing use of Natural Language Processing (NLP) algorithms to assist the various tasks in cyber operations. With the rise of Large Language Models (LLMs), NLP tasks have significantly improved because of the LLM's semantic understanding and scalability. This leads us to question how well LLMs can interpret TTP or general cyberattack descriptions. We propose and analyze the direct use of LLMs as well as training BaseLLMs with ATT&CK descriptions to study their capability in predicting ATT&CK tactics. Our results reveal that the BaseLLMs with supervised training provide a more focused and clearer differentiation between the ATT&CK tactics (if such differentiation exists). On the other hand, LLMs offer a broader interpretation of cyberattack techniques. Despite the power of LLMs, inherent ambiguity exists within their predictions. We thus summarize the existing challenges and recommend research directions on LLMs to deal with the inherent ambiguity of TTP descriptions.

翻译：漏洞与利用技术的数量、多样性和变化速度使得仅凭人类专业知识和经验进行事件威胁分析变得极具挑战性。MITRE ATT&CK框架使用战术、技术和程序（TTPs）来描述攻击者利用漏洞的方式与原因。然而，不同安全专业人员对同一TTP描述的理解可能存在显著差异，从而导致网络安全运营乃至商业、政策和法律决策中的混乱。与此同时，人工智能的进步促使自然语言处理（NLP）算法越来越多地用于辅助网络运营中的各类任务。随着大语言模型（LLMs）的兴起，因其语义理解能力与可扩展性，NLP任务得到了显著改进。这引发我们思考：LLMs在解释TTP或通用网络攻击描述方面表现如何？我们提出并分析了直接使用LLMs以及利用ATT&CK描述训练BaseLLMs两种方法，以研究其预测ATT&CK战术的能力。结果表明，经过监督训练的BaseLLMs能够更聚焦且更清晰地区分ATT&CK战术（若存在此类区分）；而LLMs则提供了更广泛的网络攻击技术解释。尽管LLMs功能强大，但其预测中仍存在固有歧义。因此，我们总结了现有挑战，并针对LLMs处理TTP描述固有歧义问题提出了研究方向建议。