Hi @Omar, some great questions here…
How to prevent/detect the software initiating an encrypted VPN connection to the attacker
This is handled by Zscaler’s deep security stack, in particular preventing connections to Command and Control systems via multiple methods (Signaure detections. URL/IP blocks, blocking undecrytable traffic etc)
How to prevent the attacker access to the internal network
This is actually a great use-case for Zscaler Private Access and ZTNA in general.
Instead of the user connecting to the network, the user will have access to only specific applications, many of which may not be vulnerable to whatever malicious software is running on the affected endpoint. This prevents malicious software from being able to easily move laterally.
Further, if there was an incident/breakout on the private network, the Malware wound not be able to initiate connections to the external client and worm in the reverse direction.
Hope that helps. Do let us know of you need to dig into this further.