Over at petri[.]com Russell Smith posted an easy to follow explanation of how someone who's gained unauthorized access to one PC may use that to gain access to other systems on the network. While it's aimed at IT folks, the same sort of stuff works on your home network, and is one reason why it matters that IoT devices, a NAS etc. are all secure. [Note: if you have a Western Digital NAS, a bunch of vulnerabilities have recently been discovered, & not yet patched AFAIK.]

"The Anatomy of a Privilege Escalation Attack"

petri[.]com/anatomy-privilege-escalation-attack

There are basically 2 ways that someone(s) can get unauthorized access to a system or network -- get a would-be victim to do something that grants them access, lets them in, or by exploiting a software vulnerability or weakness.

The 1st method is the most common, scamming users to give up their passwords, to run malware attached to emails, to download & run malicious software, to visit a malicious web site, or to visit a site that's been compromised or features malvertising & so on.

The second relies on exploiting vulnerabilities to get around security features &/or measures. Vulnerabilities are present when the system &/or network is set up improperly, &/or when security-related hot fixes or patches aren't applied. One security company reported that about 3/4 of the systems that were compromised had not had security patches applied. That makes sense -- most often when a security-related patch is released, it's accompanied by documentation of the vulnerability that's been fixed, often along with proof-of-concept code, and together they make a nice tutorial for cybercriminals. [It's also why software companies are so fond of automatic updates, vs. relying on users to check for & apply them.]

But there's another category of vulnerabilities, those that hardly anyone knows about, and consequently there aren't any patches available. These are so-called Zero Days, and they're more often used by more elite cybercriminals & spies, often working for a nation/state, often only for highly targeted systems &/or networks. There are companies & government agencies that work on developing these cyber weapons [the recent Wikileaks release says there are thousands of people working on Zero Days & related for the CIA], and pragmatically, arms dealers too.

Their very nature means that getting your hands on a collection of Zero Days is both difficult & expensive, though there have been a couple of publicized leaks from US intelligence agencies... One involved an archive of NSA tools that a group calling themselves Shadow Brokers tried to sell. The 2nd involves the recent Wikileaks release, where early reports say this very large trove of info [& computer code] was circulating among a group of ex US gov workers, one of whom passed a portion of it to Wikileaks.

Whether either of those was involved or not, people at Rand managed to get their hands on a couple hundred Zero Days, which they analyzed. They also talked to several experts, Zero Day developers, brokers etc., and did a statistical analysis to provide some insight into the current Zero Day market [for lack of a better word]. The main highlights are interesting on their own, though if you want to take a deeper dive there's a PDF available for download that contains the book they published.

If nothing else, at a time where the public is debating how much access governments should have, when privacy advocates are pushing back hard, and when there's a discussion regarding how many of these Zero Days government agencies should report to better protect their citizens & industries, reading just the highlights might provide some useful context.

rand[.]org/pubs/research_reports/RR1751.html

Zero Days, Thousands of Nights
The Life and Times of Zero-Day Vulnerabilities and Their Exploits