It is very common for active malware to "call home" (or beaconing), either to fetch updates and instructions or to send back stolen information..
In an internal network where web access to the Internet must go through a proxy, the traffic that doesn't pass through the proxy and by default is dropped by the gateway firewall could be valuable to detect malware call-home activities.
What are the techniques to detect malware call home/beaconing activities?