For example, init and login should not be accessing the network! Of course one can go one step deeper and inspect all file-handles opened by all the process. As a process can write stuff to a hidden log (and indeed memory!), and then some ok-looking process can fire up and do the actual net transfer. etc
Of course, this would have to be a hardened kernel level module.
So a little extra vigilance can take care of such attacks. But the crypto-weakening attacks don't seems to be so straight forward to manage. imho.