If you have any devices on your network which supports hardware level virtualisations, and you dont use virtualisation, disable it, most PC's have it enabled by default.
If your bios/uefi gets hacked then you need to wipe & reinstall that using an external programmer of sorts, either by desoldering the chips or using a clip that attaches to the pins of the bios and to the GPIO pins on a raspberrypi, with flashrom. Just make sure your programmer is not compromised before hand otherwise you'll spread malware again.
Zero days in a variety of software can be used to gain access to your bios, and just look at how easy it is to update your bios from a running OS.
Worth checking your router as well, Lizard squad used this method to hack Sony game servers sometime back, by using hacked off the shelf routers and who checks the data going done the phone line from their router?
Sometimes its worth double natting firewall/routers together to see what one firewall/router is sending out, made easier with ISP's who provide routers that also have a fibre port as you use the fibre port from a suspect router plugged into another device acting like a fake isp and you can find out whats leaving that.
Check and monitor all packets passing over your lan. If you cant account for each and every packet, your system is arguably not secure. Use a proxy server to do a Man In The Middle attack to log encrypted data, and modify the proxy to listen in to all ports and other protocols, not just https, so you could modify it to listen into the encrypted email communication for example.
One word of warning, I know of one very popular opensource firewall which hides messages from the syslog that would otherwise show the malware leaving this opensource firewall/router and DNS lookups which only the ISP's/Spooks would use which gives out your manufacturers details, eg http://www.php.net
indicates HP devices behind the firewall. I havent seen if its built into the source code of the bsd platform in question or whether one of the main developers machine is the source of this malware, but burning everything to dvd gives me an audit trail of sorts. But even when burning to DVD, even when selecting the option to close the disc after burning so it cant be used like a USB device, still leaves it open, so there is code hiding in plain sight which lets DVD's be updated by compromised systems later on.
The stuff I've seen works at the hardware level, hacking firmware because AV doesnt check firmware, some AV dont even go beyond a certain number of iterations when checking zip files , so you could send a zip file which contains another zip much like a Russian Doll and at the last zip theres something malicious, hiding beyond the reach of the AV scanner.
Systems allowing virtualisation can then boot up a compromised OS before the main OS boots and then you can bypass fail2ban easily, plus because you are on the inside, its quickest to bruteforce crack the passwords. The fact its happened a couple times with a significant gap between both suggests a local brute force method could be used which would suggest disabling any virtualisation that might exist on any of your devices. I think even the arm chip on the pi's might have some sort of virtualisation.
So whilst you can log anything on the pi, and other devices on your network, as messages can be hidden, rsyslog drops a message repeatedly in a particular order on the pi's then you can lull someone into a false sense of security. Although these are not the only techniques used by the spooks. Other offline methods exist as well and starts from when you go to school.
Considering firmware can be updated, some of the stuff I've seen sits in the spare space on these firmware chips working in a distributed fashion, and not all manufacturers admit to their devices having updateable firmware, so breaking open devices, and finding out what chips can be updated could be a clue.
Good luck, I think you will enjoy the puzzle.
I think the fact that section 56.4 exists in the UK Snoopers charter demonstrates I might be on the money when considering even you mobile phone can used to track you on your way to a weekend at Newquay cornwall speeding down the M5.
Even right now, I know this pi I'm using is compromised, but I need to devise a test to prove it and out the spooks ala a TalkTalk Nov 2015 hack/coverup.
Dont think your SD card cant be hacked either.