For the best protection against firmware based vectors I would say look into heads firmware. But you specified you dont want to put in a custom BIOS. Without a chain of attestation from boot up, and a neutered ME, there is no real way to secure against firmware persistence (though one sort of workaround would be to install known good, factory firmware and then disable writes to the flash rom by shorting out the WP (write protect) pin and using Anti Evil Maid to protect your /boot using a TPM). Though ME would still be there …
At the very least I would say coreboot firmware is a requirement IMHO. it provides a decent firmware alternative and does have ME neuter and other features
It is difficult to know you are being targeted by very sophisticated adversaries. Like you say, one way of identifying a compromise is to use some kind of network inspection, where actual egress on the wire from your machine is monitored at the network/router level and you can alert on unusual things. security onion springs to mind, or if you just want something quick / plugnplay then there is a quick-n-easy, bargain basement free NTOPNG docker image which I put together using a free nProbe alternative. Coupled with softflowd on OPpenWRT/pfSense routers this will give you an idea of network flows and who is being talk to/from your suspected compromised machine.
for views on firmware vectors, this is good reading from Joanna … Im less inclined to see EC as a vector (see here for why) but its all good info!