A successful targeted data breach is an iterative process in which the attacker bypasses prevention technologies. The key to differentiating between mass malware and more targeted attacks is asking the right questions. If a security professional discovers suspicious behavior, simply removing malware or re-imaging a machine wont achieve a lot. Removing one will inform the attacker, as a side effect, that you are aware of him and destroy any evidence that you have. Instead of focusing on removing the malware, focus on the significance of the endpoint, its owner, and the detected behavior.”]
Source: https://www.darkreading.com/attacks-breaches/is-your-security-operation-hooked-on-malware-